Outdated and Vulnerable WordPress, Drupal Versions Contributed To Panama Papers Breach

An anonymous reader quotes a report from WordPress Tavern: Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications. The firm ran its unencrypted emails through an outdated (2009) version of Microsoft's Outlook Web Access. Outdated open source software running the frontend of the firm's websites is also now suspected to have provided a vector for the compromise. Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak. [WordPress Tavern Editor Sarah Gooding] found that the firm's WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn't been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server.

I'm not surprised...

[__aaclcg7560]

Keeping multiple WordPress websites up to date has become such a nuisance that I'm converting the older ones to static websites. Those 4,000+ hackers per day have nothing to hack at a static website and go away to find easier targets.

Re:I'm not surprised...

[__aaclcg7560]

Seems pretty simple to me

You still have to log in, respond to any post-update screen messages, and make sure nothing else is broken. Multiple that by a half-dozen WordPress websites, it becomes a lot of work. A static website doesn't require that much housekeeping.

Interesting how the outed reacted

[Lead+Butthead]

The Russians goes on the offensive in the domestic media, accusing the dox were faked by CIA trying to smear his good name.
The Chinese censors it in their domestic media.
The Ice Lander protests and their Prime Minister resigns.

Re:Interesting how the outed reacted

[monkeyxpress]

So what are the big US names involved? Or do they not need these kinds of structures as they have other ways of not paying taxes?

Next week, apparently. The first round was just to get westerners interested in what would have otherwise been a bit of a flash in the pan 'revelation' that rich people don't pay tax. Most people wouldn't have been interested as the details are complex, and they would have figured such schemes are just part of being rich. The Chinese, Russian and Icelandic reactions to the news have succeeded in getting the common westerner's ears pricked up to the thought that this could be a very big scandal indeed.

We will see what happens. I suspect David Cameron might be done next week. He is playing extremely strategic word games about his situation, and I can't see why he would bother being so meticulous unless he is concerned something has a good chance of coming out. I suspect he has a very big skeleton in his closet, and is being very careful to ensure he can only be labelled a hypocrite, not an outright liar.

Not convinced

[El_Muerte_TDS]

We're talking about 2.6TB of data here, 11.5 million documents, photos, scans, and emails created over a time span of 1970 til now, received in batches during a year.
I highly doubt some external used an exploit in customer facing portals to download this many individual files.