Outdated and Vulnerable WordPress, Drupal Versions Contributed To Panama Papers Breach

An anonymous reader quotes a report from WordPress Tavern: Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications. The firm ran its unencrypted emails through an outdated (2009) version of Microsoft's Outlook Web Access. Outdated open source software running the frontend of the firm's websites is also now suspected to have provided a vector for the compromise. Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak. [WordPress Tavern Editor Sarah Gooding] found that the firm's WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn't been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server.

Medal winner?

[Lead+Butthead]

We should give that person a medal for handing those dox to the press...

Re:Medal winner?

[DarkOx]

The answer is probably that FATCA probably works.

What I find really telling is Obama's reaction. Never mind how little evidence there was that American's were using off shore accounts to evade taxation, he just knows, they are doing it! We need more regulations! He says all this after his own secretary of state (Hillary Clinton) recently negotiated a trade pact with Panama which will make it easier to do exactly that sort of cheating. An agreement which he then signed into law.

The take away, anything is an excuse for more regulation on the left. That regulation will of course be careful engineered to fall on us ordinary middle class folks and an handful of wealthy industrialists they don't like while not touching their elite friends in Hollywood, Politics, Law, and Academia. Like always some folks will be a little more equal.

At least when the GOP, "just cuts tax rates" I get to enjoy some of the benefit. Sure maybe not to the tune the industrial owner class enjoys but I get something. The fact that the benefit is so unequal has as much to do with the existing structure again enacted by progressives and liberals too.

Lets continue to starve the beast and if we can get it small enough to fit into the tube lets drown it!

Law Firms are Cheap

[jafiwam]

Every law firm I have ever had tangential contact in an IT role has always been stupid cheap cheap cheap and self-righteous and arrogant about it. I don't do business with law firms just because of the headaches they cause friends and acquaintances about not paying, wanting the moon for a buck, etc.

A breach like this is not an unexpected result.

Re: Law Firms are Cheap

[johnsmithperson123]

It's the same in government, excepting the NSA of course. They all skimp out on IT and most of them get hacked in the end. Look at State and OPM. Face it, the pay scale is broken for IT. Government is having issues- schools don't like to think they need to pay IT more than administrators, FBI doesn't want to pay IT more than agents. So they all have lousy IT tech.

Re:Law Firms are Cheap

[Gumbercules!!]

You know, this is true in my experience, too. I've worked with 3 law firms in the past, one of who is actually massive, and they were all mind blowing cheapskates. One place we tried to get work from charges barristers out at something near $1,000 an hour - and refused to pay an IT company more than $50. They said that kind of work wasn't worth more than that. I literally walked out. Another place was involved in a Royal Commission (a very big deal in Australia) and they had a single, 7 year old server running Linux with Samba emulating an NT domain (for a totally Windows environment) not because they believe in Linux but because they wouldn't spring for a Windows Server license.

What versions are vulnerable?

[Ark42]

How do you know if your WordPress or Drupal site is vulnerable? If the version number is greater than zero of course!

Seriously. Unless all you need is a Geocities-type page with some static text and animated GIFs on the cheap, stay away from WordPress and Drupal!

Re:What versions are vulnerable?

[Tablizer]

What's the alternative, roll-your-own CMS's? I've done those, and you are always re-inventing features that come standard or are pluggins in established CMS's as management/customers keep asking for new features.

I've found security mistakes in my own code because of typical human error that inherently pops up when dealing with complexity. There may indeed be some security-thru-obscurity from DIY, but it just seems another form of gambling.

I believe the best way to go is to outsource the basic CMS hosting and patching to an experienced vendor who is contractually obligated to patch timely, and verify that they do it via random spot checking.

Because they run lots CMS instances, they should have the scripts and expertise to patch with some degree of economies-of-scale such that the expenses of timely patching shouldn't be too costly for them.

Plus, they are likely to have somebody there Sunday at 3am to patch so that you don't have come in at 3am to patch yourself in order to keep the system up during normal hours.

But, I don't have enough experience with that approach to render a final judgment. If anyone can recommend vendors who fit that bill based on experience, that would be great.

Biggest contributor to Panama breach:

[tlambert]

Biggest contributor to Panama breach:

People doing illegal things in the first place.

Utter Horseshit!

1. Even in the highly unlikely scenario that Wordpress was installed on the same system as Outlook Web Access, it would not provide access to the Exchange email system.

2. There is nothing wrong with "outdated 2009" Outlook Web Access. That would be either Excahange 2007 or more likely Exchange 2010. Both are still fully supported and do not suffer any egregious vulnerabilities that would allow co-installed Wordpress to access the Exchange Server.

3. Encrypted email? Who the fuck does that? No one, that's who. Let's not bother with any pretentious or condescending horseshit. Probably half of the world's email sits on Exchange servers, corporate on-premise or Office365/Outlook.com/Hotmail... None of it is encrypted at rest. Despite the available option and Google's recent TLS push, SMTP is not generally not encrypted. So, email in flight is even more open than at rest. This is the way it is everywhere and is not a major security issue.

4. The Panama Papers consist of 2.6 TERABYTES of data! Have you ever tried to push or pull that much data over the internet? It is a huge undertaking, even with very high speed connections. While technically possible, it is unlikely that that much data was siphoned off remotely, especially form slow-ass Exchange servers.

This entire article is pure fantastical supposition and utter horseshit. 2.6TB of Exchange emails DID NOT come through any Wordpress exploit. This data almost certainly came from an inside source and was walked out on a USB external drive which itself would have taken over 36 hours to copy the data to.

This "story" is utter horseshit. Just like the international outrage over legal financial activities. It's all manufactured nonsense.

Re:Utter Horseshit!

[jittles]

Oh please. That Telestra customer pushed 1 TB of the Panama papers over his LTEx4 connection just this last Sunday.