Slashdot Mirror
Outdated and Vulnerable WordPress, Drupal Versions Contributed To Panama Papers Breach (wptavern.com)
An anonymous reader quotes a report from WordPress Tavern: Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications. The firm ran its unencrypted emails through an outdated (2009) version of Microsoft's Outlook Web Access. Outdated open source software running the frontend of the firm's websites is also now suspected to have provided a vector for the compromise. Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak. [WordPress Tavern Editor Sarah Gooding] found that the firm's WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn't been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server.
Don't forget about him!
We should give that person a medal for handing those dox to the press...
ELOI, ELOI, LAMA SABACHTHANI!?
Is anybody surprised?
Every law firm I have ever had tangential contact in an IT role has always been stupid cheap cheap cheap and self-righteous and arrogant about it. I don't do business with law firms just because of the headaches they cause friends and acquaintances about not paying, wanting the moon for a buck, etc.
A breach like this is not an unexpected result.
"Authorities have not yet identified the hacker behind the Panama Papers breach", well it was the CIA/NSA.
Look at the lack of US based names, so far there has been nothing but known criminals, on the other hand Russia, Pakistan, Iceland, UK have huge names outted.
I would hope that the web server is on a machine with its own internet connection that doesn't share ANYTHING with the internal corporate network besides perhaps a UPS. The less a website is linked to the better.
I'm no web expert, but I have had this conversation over and over again with small to mid-sized business owners. First, assume your web server is going to get herpes. Make your next decision accordingly. Big companies with big budgets have more options.
Should have hired me instead, suckers!
Suck it lawyers. You like to dot your eyes and cross your t's at everyone else and think your profession is elite. Then you discover that IT is just as valuable for protecting your property.... the hard way.
There never was a product called outlook web access 2009.
There was outlook web access as part of exchange 2007.
There was outlook web access as part of exchange 2010.
There was outlook web access as part of exchange 2013.
So I have doubts about the validity of this "analysis" of the security breach.
And incidentally, Microsoft is still releasing security patches for exchange 2007, 2010 and 2013.
Keeping multiple WordPress websites up to date has become such a nuisance that I'm converting the older ones to static websites. Those 4,000+ hackers per day have nothing to hack at a static website and go away to find easier targets.
The vulnerabilities and technical methodology for exploit in this incident are kind of interesting, but the outcome is the same. And above everything else, Mossack Fonseca IT staff or management should not travel to China to explain themselves. Would not be good for their health; lots of past experience says so. Not kidding.
How do you know if your WordPress or Drupal site is vulnerable? If the version number is greater than zero of course!
Seriously. Unless all you need is a Geocities-type page with some static text and animated GIFs on the cheap, stay away from WordPress and Drupal!
Morphing Software
Based on the information in the article both sites were running three-year old software.
Ford sucks because I flew through my windshield after driving down the wrong side of the road doing 90 with no seatbelt and a .25 BAC
Fuckin ford.
The Russians goes on the offensive in the domestic media, accusing the dox were faked by CIA trying to smear his good name.
The Chinese censors it in their domestic media.
The Ice Lander protests and their Prime Minister resigns.
ELOI, ELOI, LAMA SABACHTHANI!?
This kind of puts to rest all those new world order conspiracy theories doesn't it? I mean, they can't be that brilliant if they can't even fucking update WordPress once a month. It's literally a calendar reminder to click a button.
If it ain't broke, don't fix it.
This public outing of Mossack Fonseca's pathetic computer security will have the unfortunate consequence of convincing the rest of the firms in that line of work to get more serious about their own. For those who want greater transparency in the world of tax havens this hack of Mossack Fonseca might be a wrench in the works.
I deny that I have not avoided attaining the opposite of that which I do not want.
If they were so lax with security, maybe a simpler explanation is that the files where unencrypted on a file share, and someone brought in a external hard disk or flash drive to the office, and copied the whole thing over several days.
What the hell is sensitive client data doing on an Internet connected machine?
Have gnu, will travel.
So they were running essentially an automatic version of this guy
Monstar L
The firm ran its unencrypted emails through an outdated (2009) version of Microsoft's Outlook Web Access.
They are running Exchange 2010 OWA behind a TMG firewall. Can anybody explain how this insecure? They are no details provided. Aside from mentioning the email was unencrypted and the fact that OWA is being published externally, are both dumb. But, how is the mentioned fact that its "outdated 2009" the relevant matter? I run instances of this same setup and would like to know, again the unencrypted or externally published not being the factor, just the "outdated" part.
Wordpress vulnerabilities - for once they're a help and not a hindrance.
Just cruising through this digital world at 33 1/3 rpm...
Bernie Sanders warned us about this back in 2011 or so...
https://www.youtube.com/watch?...
Sanders made a speech on the Senate floor in October of 2011 that warned that a proposed trade agreement with Panama would open the floodgates of American money flowing into off-shore tax havens, a plea that ultimately fell on deaf ears as the agreement was signed by President Barack Obama later that year.
Just cruising through this digital world at 33 1/3 rpm...
I hope they catch them and throw the book at them. Life imprisonment at least.
They have embarrassed more very powerful people than Snowden and Assange combined. This type of activity must be stopped.
There apps are only as secure as the underlying Operating System and PLATFORM they run on, which in the case of WinTEL means not secure at all.
With them optimizing profits, they probably had no money for IT security to spare. Save a million, lose a billion (or rather more in this instance). The fatal combination of greed and stupidity at its finest. Will not be the last instance of something this large happening due to non-understanding of IT security.
When the first successful hack costs you everything, learning from experience is not a good strategy. Consulting and listening to some (admittedly expensive, but worth it) real experts may be a good idea.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Biggest contributor to Panama breach:
People doing illegal things in the first place.
Yet you are alive
We're talking about 2.6TB of data here, 11.5 million documents, photos, scans, and emails created over a time span of 1970 til now, received in batches during a year.
I highly doubt some external used an exploit in customer facing portals to download this many individual files.
Why is customer account info on a WCMS? The public-facing stuff should be hosted separate from the private/internal stuff (like customer accounts) such that if your public WCMS is breached, the private stuff should be protected. There should be a fire-wall between the public host and the private customer data hosts/servers. You wouldn't put customer details on a public WCMS normally. Your public site is a sales-ish tool.
For biz-to-biz transactions, typically a CRUD-centric tool would be used, not a WCMS.
That is unless they co-hosted too many different concerns on the same server or LAN/WAN, which is a sin at least as big as not patching WCMS.
Table-ized A.I.
...about PHP, but there it is. A heartfelt ‘thank you’ for the Panama Papers!
Which authorities are wasting time investigating the wrong end of this?
This is like police responding to a call about a theft and finding a garage full of freezers stacked with body parts. Then calmly asking the person who called them if they could please describe the body part that was stolen from their collection.
I'm really getting tired of the misreporting on Forbes from this Fox-Brewster guy. He continues to make stuff up. In an email sent to clients Mossack Fonseca actually admitted the hack came from an email server, yet he "suggests" after an "investigation" using the "Internet Archive Wayback Machine" that Mossack Fonseca ran outdated Drupal sites and that they use a 3-month-old WordPress version. GTFO ... didn't Mossack Fonseca get hacked one year ago.... what does a 3-month-old WordPress version has to do with it? #shittyreporting
I suspect that there's going to be a sudden outbreak of spontaneous Polonium poisoning in Panama due to this leak.
They don't seem to follow any basic security rule:
https://reflets.info/panamapapers-mossack-fonseca-une-incroyable-bourde/
1. Even in the highly unlikely scenario that Wordpress was installed on the same system as Outlook Web Access, it would not provide access to the Exchange email system.
2. There is nothing wrong with "outdated 2009" Outlook Web Access. That would be either Excahange 2007 or more likely Exchange 2010. Both are still fully supported and do not suffer any egregious vulnerabilities that would allow co-installed Wordpress to access the Exchange Server.
3. Encrypted email? Who the fuck does that? No one, that's who. Let's not bother with any pretentious or condescending horseshit. Probably half of the world's email sits on Exchange servers, corporate on-premise or Office365/Outlook.com/Hotmail... None of it is encrypted at rest. Despite the available option and Google's recent TLS push, SMTP is not generally not encrypted. So, email in flight is even more open than at rest. This is the way it is everywhere and is not a major security issue.
4. The Panama Papers consist of 2.6 TERABYTES of data! Have you ever tried to push or pull that much data over the internet? It is a huge undertaking, even with very high speed connections. While technically possible, it is unlikely that that much data was siphoned off remotely, especially form slow-ass Exchange servers.
This entire article is pure fantastical supposition and utter horseshit. 2.6TB of Exchange emails DID NOT come through any Wordpress exploit. This data almost certainly came from an inside source and was walked out on a USB external drive which itself would have taken over 36 hours to copy the data to.
This "story" is utter horseshit. Just like the international outrage over legal financial activities. It's all manufactured nonsense.
So, we've finally got all the evidence of these "illegal" activities. 2.6TB of damning evidence. The world is outraged. The mayor of a city ^h^h^h^h^h^h the Prime Minister of a tiny country has resigned. Let's see the proof of a crime!
What we have is copious amounts of data on LEGAL activities that the have-nots are jealous and envious of, resulting in them making all sorts of accusations and publicly shaming wealthy people. What we still don't seem to have, is proof of any actual crimes.
Public outrage over morally questionable selfishness is pointless stupidity. Where is the crime? Where is the proof?
So many servers run ancient versions of popular CMS packages and then wonder why their server constantly gets hacked.
Heaven forbid they are running WHMCS on a box with other websites (quickest way to get rooted).
It got so bad for us here, I had to write a script to scan customer servers just to find all of the outdated packages.
It amazes me to read some of the reports, seeing sites running decade old software is not uncommon.
Still is a battle to get people to actually update their sites once they have been notified about running old software.
There is more technical details in this article.
They are running a 2013 version of Drupal that is vulnerable to SQL injection (dubbed Drupalgeddon).
They are also running an Oracle HTTP server too. That web server seems to be ignoring the .htaccess setup by Drupal, and returns back the entire code of the .module files, and listings of directories, and such.
More interesting is how ICIJ setup their own collaboration around the documents using open source software, like VeraCrypt (fork of TruCrypt), Backlight (Ruby On Rails tool to index documents in Apache Solr), and Oxwall (a social media type of thing).
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
At least that's what all of the journalists reviewing this stuff for the last year say.
So are there any security issues with that version of OWA that could have lead to this leak?
You mention it in the blurb as if it were a big deal but then you don't say anything else about it.
This has a lot of detailed information about the problems with Mossack Fonseca client portal: http://www.unicornriot.ninja/?... including the possibility of using the website vulns to get into Oracle.
--hongpong.com