Slashdot Mirror

← Back to Stories (view on slashdot.org)

Outdated and Vulnerable WordPress, Drupal Versions Contributed To Panama Papers Breach (wptavern.com)

Posted by BeauHD on from the contributing-factors dept.

An anonymous reader quotes a report from WordPress Tavern: Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications. The firm ran its unencrypted emails through an outdated (2009) version of Microsoft's Outlook Web Access. Outdated open source software running the frontend of the firm's websites is also now suspected to have provided a vector for the compromise. Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak. [WordPress Tavern Editor Sarah Gooding] found that the firm's WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn't been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server.

103 of 155 comments (clear)

  1. Medal winner? by Lead+Butthead · · Score: 3, Insightful

    We should give that person a medal for handing those dox to the press...

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
    1. Re:Medal winner? by RuffMasterD · · Score: 1

      So far the documents have been remarkably devoid of US names/addresses. This suggests either the list was scrubbed, or FATCA works, or US citizens hide their money elsewhere. Most likely the latter. In any case, whoever did this is safe in the US.

      --
      Human Rights, Article 12: Freedom from Interference with Privacy, Family, Home and Correspondence
    2. Re:Medal winner? by Shrike82 · · Score: 2

      Radio news report from the BBC indicated that the US names will be released next week. Not sure why they're being delayed though. Maybe something to do with that election that they're having...

      --
      You can advertise in this sig from as little as £99.99 a month!
    3. Re:Medal winner? by DarkOx · · Score: 3, Insightful

      The answer is probably that FATCA probably works.

      What I find really telling is Obama's reaction. Never mind how little evidence there was that American's were using off shore accounts to evade taxation, he just knows, they are doing it! We need more regulations! He says all this after his own secretary of state (Hillary Clinton) recently negotiated a trade pact with Panama which will make it easier to do exactly that sort of cheating. An agreement which he then signed into law.

      The take away, anything is an excuse for more regulation on the left. That regulation will of course be careful engineered to fall on us ordinary middle class folks and an handful of wealthy industrialists they don't like while not touching their elite friends in Hollywood, Politics, Law, and Academia. Like always some folks will be a little more equal.

      At least when the GOP, "just cuts tax rates" I get to enjoy some of the benefit. Sure maybe not to the tune the industrial owner class enjoys but I get something. The fact that the benefit is so unequal has as much to do with the existing structure again enacted by progressives and liberals too.

      Lets continue to starve the beast and if we can get it small enough to fit into the tube lets drown it!

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    4. Re:Medal winner? by SNRatio · · Score: 1

      My guess is that as noted elsewhere on the thread FATCA probably cut down on the use of these schemes by US individuals. So possibly the bulk of records tied to US names are pre-FATCA (old news, so they are getting released later). Post-FATCA probably US individuals have at least another layer or two of companies outside of Panama obscuring the relationship so that banks don't have to worry about complying with FATCA for a US citizen. For the journalists this could mean a lot of dead ends: the name of the ultimate owner isn't in the leaked records.

    5. Re:Medal winner? by tatman · · Score: 1

      well said.....

      --
      I've always said English was my second language. Had Romeo and Juliet been written in C, I might have understood it.
    6. Re:Medal winner? by dave420 · · Score: 1

      Or you could wait for the US details to be released, and then make a judgement. Not as much fun, I know, but at least then you won't look like some deranged muppet who values making points more than making points correctly.

    7. Re:Medal winner? by whoever57 · · Score: 2

      At least when the GOP, "just cuts tax rates" I get to enjoy some of the benefit. Sure maybe not to the tune the industrial owner class enjoys but I get something.

      Maybe you do get reduced tax payments, but you also suffer from reduced government spending. You suffer from regulations that don't get enforced, allowing things like companies to destroy the environment. You suffer from Wall Street ignoring regulations that are not enforced. You suffer in many ways, which likely outweigh the small benefit you get from reduced tax rates.

      --
      The real "Libtards" are the Libertarians!
    8. Re:Medal winner? by nbauman · · Score: 2

      One of the beasts that the Republicans starved was the IRS fraud investigators.

      The IRS discovered wholesale tax fraud by organizations claiming to be 401(c) organizations illegally using their tax-deductible contributions for political campaigns.

      Many of these organizations had "Tea Party" and "Patriot" in the name, so the IRS used those key words to find applications to investigate http://www.motherjones.com/pol... It's as if you searched for organizations with "Jihad" in the name to find terrorists.

      The Tea Party organizations and their Republican campaign fund recipients didn't like it when they got caught, so they responded by cutting the IRS budget. These were broad cuts, not only for fraud investigations but also for simple things like 800-number information lines (which they discontinued).

      It got so bad that the IRS' Taxpayer Advocate, Nina Olson, blasted the IRS taxpayer services in her annual report as inadequate.

      That's what happens when you starve the beast. You don't have any more government services. The only people who benefit are people who are committing fraud.

    9. Re:Medal winner? by DarkOx · · Score: 1

      Funny, all the articles I read at the time were already stating there were few Americans on the list. Its a couple TB of data, yea that takes a while to search, or at least to index initially.

      Yet all those other names had already popped out. Once those indexes are built having the computers grep a list of "who is who in politics and business" does not take long. Did you really think the big news outlets decided "hey lets search for all the non-US Citizens first?"

      Dumb.

      But I have waited now, and here we are nearly a week on and I am still waiting for these names Dave!

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  2. Law Firms are Cheap by jafiwam · · Score: 5, Insightful

    Every law firm I have ever had tangential contact in an IT role has always been stupid cheap cheap cheap and self-righteous and arrogant about it. I don't do business with law firms just because of the headaches they cause friends and acquaintances about not paying, wanting the moon for a buck, etc.

    A breach like this is not an unexpected result.

    1. Re: Law Firms are Cheap by johnsmithperson123 · · Score: 3, Insightful

      It's the same in government, excepting the NSA of course. They all skimp out on IT and most of them get hacked in the end. Look at State and OPM. Face it, the pay scale is broken for IT. Government is having issues- schools don't like to think they need to pay IT more than administrators, FBI doesn't want to pay IT more than agents. So they all have lousy IT tech.

    2. Re:Law Firms are Cheap by buchner.johannes · · Score: 2

      I doubt though that it was a hack, it suspect it might as well be an insider. I mean, it would be so much easier to fetch those 3TB as a employee or contractor than through the website (which as far as we know might not even be connected to the data trove).

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    3. Re: Law Firms are Cheap by Anonymous Coward · · Score: 1

      "pay scale is broken for IT" That's why the government relies on expensive 3rd party firms for the development and support. Highly paid contractors staff the vast majority of government related systems. Working on the security and military related systems pays really well.

      And all of the really big hacks we hear about today can be placed squarely on the shoulders of the IT system administrators. Atrocious firewall configurations, bad network appliances configurations, and failure to apply security patches as soon as they are released. And also make your user security privileges more granular, do not over permission the users, and force the users to change often. Address these areas and while you won't be immune to other avenues of attack but you would be more secure than you currently are.

    4. Re:Law Firms are Cheap by Gumbercules!! · · Score: 4, Insightful

      You know, this is true in my experience, too. I've worked with 3 law firms in the past, one of who is actually massive, and they were all mind blowing cheapskates. One place we tried to get work from charges barristers out at something near $1,000 an hour - and refused to pay an IT company more than $50. They said that kind of work wasn't worth more than that. I literally walked out. Another place was involved in a Royal Commission (a very big deal in Australia) and they had a single, 7 year old server running Linux with Samba emulating an NT domain (for a totally Windows environment) not because they believe in Linux but because they wouldn't spring for a Windows Server license.

    5. Re:Law Firms are Cheap by stridebird · · Score: 2

      "they had a single, 7 year old server running Linux with Samba emulating an NT domain (for a totally Windows environment) not because they believe in Linux but because they wouldn't spring for a Windows Server license."

      Failing to see the fail here. Of course, if you mean 7-year old unpatched or orphaned software then you have a point. but samba on linux serving files to MS - it does that rather well.

    6. Re:Law Firms are Cheap by aberglas · · Score: 1

      Law firms are all about US vs THEM.

      Our client vs the other client. The partners vs the overworked minions that hope to be partners. The partners vs the Contractors. It is in their soul to think like that. And people that work for them end up thinking like that too.

      One corollary is the low quality of legal information available on the web vs the huge amount on software engineering on sites like stackexchange.

    7. Re:Law Firms are Cheap by Heart44 · · Score: 2

      My experience too with law firms and accountants. I have a feeling they hate paying by the hour.

      I wonder why ...

    8. Re:Law Firms are Cheap by dwywit · · Score: 1

      The word was "server" - i.e. hardware. Without redundancy or top-class backups, seven year-old hardware is a big enough risk, even if it was running modern, fully-patched, fully-hardened/paranoid software.

      --
      They sentenced me to twenty years of boredom
    9. Re:Law Firms are Cheap by houstonbofh · · Score: 1

      I know a lot of consultants that will not work for law firms for these reasons. And of the ones that do, they often expect to never get their last payment. They just build that into the billing... :)

    10. Re:Law Firms are Cheap by tlhIngan · · Score: 1

      Every law firm I have ever had tangential contact in an IT role has always been stupid cheap cheap cheap and self-righteous and arrogant about it. I don't do business with law firms just because of the headaches they cause friends and acquaintances about not paying, wanting the moon for a buck, etc.

      Not just law firms, but doctors and accountants as well. Basically it's as if the degree on the wall means they're more intelligent than the rest of the world, and unless you have a comparable degree, you're an idiot. (Hrm... doesn't that sound familiar?)

      And yes, they also subscribe to the "control costs" thing - they know that to make more profit, you reduce costs, so IT gets cut cut cut. Plus, they will cheap out and cut any corner they can, and try to stiff any service provider they can as long as they can - so getting paid is pulling teeth. Again, they're smarter than you and if you spend enough money to go to court, they'll pay up after you spent time and money trying to collect.

      And yes, if it works, they don't believe in updates or anything that costs money. If you're lucky, you'll have a server that was the best buy special on sale, but will probably also be the secretary's or receptionist's PC.

    11. Re:Law Firms are Cheap by Anonymous Coward · · Score: 1

      You would be shocked to see something like that, but with all the drives that would provide redundancy failed.
      They didn't even attempt to erase the data when it was trashed.

    12. Re:Law Firms are Cheap by wbr1 · · Score: 1

      I work for a small local IT firm. Many of our clients are law firms, including our largest client. That one is okay but demanding. The rest are exactly as states, cheap, will not take ownership of policy or user created issues, late with pay, etc.

      --
      Silence is a state of mime.
    13. Re:Law Firms are Cheap by tatman · · Score: 1

      My experience too with law firms and accountants. I have a feeling they hate paying by the hour.

      But they sure don't mind charging by the hour (in 1/6 hr increments no less)

      --
      I've always said English was my second language. Had Romeo and Juliet been written in C, I might have understood it.
    14. Re:Law Firms are Cheap by afidel · · Score: 1

      Having just started working for one of the biggest law firms in the world I have to say that they're not all cheap, we spend about the same per employee as my previous employer (~$14,000/year) which is average for all mid to large sized companies from the industry numbers I've seen.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    15. Re:Law Firms are Cheap by Impy+the+Impiuos+Imp · · Score: 1

      Mossack Fonseca, the Panamanian law firm: "They hacked our what???? All that data is leaked? From corrupt world leaders and billionaires? Oh no no no no no...oh oh. OH FUCK here comes Wilfred Brimley!"

      Wilford Brimley: "Have a seat there, son."

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  3. Authorities have not yet identified the hac.... by justcauseisjustthat · · Score: 1, Redundant

    "Authorities have not yet identified the hacker behind the Panama Papers breach", well it was the CIA/NSA.
    Look at the lack of US based names, so far there has been nothing but known criminals, on the other hand Russia, Pakistan, Iceland, UK have huge names outted.

    1. Re:Authorities have not yet identified the hac.... by LordThyGod · · Score: 1

      "Authorities have not yet identified the hacker behind the Panama Papers breach", well it was the CIA/NSA. Look at the lack of US based names, so far there has been nothing but known criminals, on the other hand Russia, Pakistan, Iceland, UK have huge names outted.

      Reports I've seen said this is because basically this stuff is legal, or at least trivial, for US based people. Its a rigged system. No need to go offshore to have someone else do your dirty work.

    2. Re:Authorities have not yet identified the hac.... by bloodhawk · · Score: 2

      these havens house nearly a quarter of all companies in existence on the planet. I find it highly suspicious that so far no one of significance form the US has been outed. Even Australia has 800 people identified in there. It seems of having being scrubbed before being released to the press.

    3. Re:Authorities have not yet identified the hac.... by Anonymous Coward · · Score: 1

      so why then does this law firm have offices all around the US if they don't tend to deal with US people? perhaps more is coming but as it stands it is highly suspicious.

    4. Re:Authorities have not yet identified the hac.... by Anonymous Coward · · Score: 1

      Outed as what though? "Look! Look! Microsoft has a massive shell corporation in Ireland!" No shirt, shitlock! The US government doesn't give a fuck about it, it's not secret, the only time it's illegal is when it's a personal bank account being used to hide income, and it's doubtful anyone needed some lawyer in Panama to open a bank account.

    5. Re:Authorities have not yet identified the hac.... by Anonymous Coward · · Score: 1

      you don't seem to understand what these shell companies are about. It isn't about hiding the wealth of large companies, these are shell companies with fake directors to hide the wealth of rich individuals to avoid paying tax in there home countries. I imagine the IRS most definitely would be highly interested as the US is one of the few countries that lays a claim on peoples earnings if they are US citizens EVEN if they no longer live in the country regardless of where they are earned.

    6. Re:Authorities have not yet identified the hac.... by Morris+von+Habsburg · · Score: 4, Informative

      But why would an American go to Panama if they can just go to Delaware?

      The people that use services in Panama do that because their local jurisdiction is on the ball w.r.t. tax evasion...

    7. Re:Authorities have not yet identified the hac.... by Anonymous Coward · · Score: 1

      Delaware doesn't allow you to hide your personal income from the IRS. Panama does. This law firm also has offices throughout the US so they definitely DO do business with a lot of rich US citizens.

    8. Re:Authorities have not yet identified the hac.... by sociocapitalist · · Score: 1

      But why would an American go to Panama if they can just go to Delaware?

      The people that use services in Panama do that because their local jurisdiction is on the ball w.r.t. tax evasion...

      Because Delaware information is visible to the IRS and Panama information is not.

      On the flip side, Delaware information is probably not visible in Panama so you'd probably find Panamanian politicians with accounts there.

      --
      blindly antisocialist = antisocial
    9. Re:Authorities have not yet identified the hac.... by SNRatio · · Score: 1

      so why then does this law firm have offices all around the US if they don't tend to deal with US people?

      Do you consider US corporations to be US people, my friend? These offices may only have shell companies as clients as opposed to directly working with US citizens.

    10. Re:Authorities have not yet identified the hac.... by GuB-42 · · Score: 2

      From a French journal, the possible reasons for the lack of US based names :
      - Mossack Fonseca is not the only player.
      - US taxation is lower than the average in OECD countries
      - FACTA
      - The US have their own tax heavens

    11. Re:Authorities have not yet identified the hac.... by dave420 · · Score: 1

      The US data will be released next week, apparently.

    12. Re:Authorities have not yet identified the hac.... by bloodhawk · · Score: 1

      because hiding your ownership of assets has a lot more effects and protection than what being in Delaware provides. Delware does not hide your details from the IRS, Delaware does not hide your assets from courts in case you are being sued and dragged through the courts over debts, delware does not hide your net worth from divorce lawyers that are demanding a 50-50 split. Basically it isn't just tax protection these people are seeking by hiding wealth, it is a general protection from all courts, agencies and peoples that might now or later want to make a claim against them.

  4. Re:nt by Narcocide · · Score: 1

    I'm amused.

  5. Separation of powers by ebonum · · Score: 1

    I would hope that the web server is on a machine with its own internet connection that doesn't share ANYTHING with the internal corporate network besides perhaps a UPS. The less a website is linked to the better.
    I'm no web expert, but I have had this conversation over and over again with small to mid-sized business owners. First, assume your web server is going to get herpes. Make your next decision accordingly. Big companies with big budgets have more options.

    1. Re:Separation of powers by houstonbofh · · Score: 1

      Yes, but they are sharing Pa$$word123 with a lot of other people too...

  6. LOL! by Narcocide · · Score: 1

    Should have hired me instead, suckers!

  7. I'm not surprised... by __aaclcg7560 · · Score: 5, Interesting

    Keeping multiple WordPress websites up to date has become such a nuisance that I'm converting the older ones to static websites. Those 4,000+ hackers per day have nothing to hack at a static website and go away to find easier targets.

    1. Re:I'm not surprised... by Anonymous Coward · · Score: 1

      No no no, you're supposed to make the whole thing world-writable so it can upgrade itself automatically!

    2. Re:I'm not surprised... by __aaclcg7560 · · Score: 3, Interesting

      Seems pretty simple to me

      You still have to log in, respond to any post-update screen messages, and make sure nothing else is broken. Multiple that by a half-dozen WordPress websites, it becomes a lot of work. A static website doesn't require that much housekeeping.

    3. Re:I'm not surprised... by Anonymous Coward · · Score: 1

      UNPATCHED, OUTDATED open source software. FTFY.

    4. Re:I'm not surprised... by houstonbofh · · Score: 1

      And what script do you run to fix what the updates broke?

    5. Re:I'm not surprised... by Tablizer · · Score: 1

      And what script do you run to fix what the updates broke?

      send resume, orgs=all -exclude current'

      --
      Table-ized A.I.
    6. Re:I'm not surprised... by Jason+Levine · · Score: 1

      Keeping multiple WordPress websites up to date has become such a nuisance

      I ran into this problem too. I wound up running InfiniteWP. It's free. (Some of the additional features aren't free, but you don't need those.) You just install the InfiniteWP plugin on your WordPress sites and connect them up with the main InfiniteWP install. Then, you use InfiniteWP to install plugin/theme/WordPress updates on all of your servers.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    7. Re:I'm not surprised... by __aaclcg7560 · · Score: 1

      [...] people that advocate Open Source as a way to fix it are people that should not be in IT making IT decisions.

      From my 20+ years of experience in working in IT, these decisions are often made outside of IT and IT gets stuck with the implementation tasks. Worse, a non-IT owner will be responsible for maintaining the software and applying updates on a regular basis. Doesn't happen. Six months later, IT gets dinged in a security audit and has to take over the server since the non-IT owner went AWOL.

  8. Re:Outlook web access 2009? by jfdavis668 · · Score: 1

    Exchange 2010 was released in November 2009.

  9. What versions are vulnerable? by Ark42 · · Score: 3, Insightful

    How do you know if your WordPress or Drupal site is vulnerable? If the version number is greater than zero of course!

    Seriously. Unless all you need is a Geocities-type page with some static text and animated GIFs on the cheap, stay away from WordPress and Drupal!

    --
    Morphing Software
    1. Re:What versions are vulnerable? by houstonbofh · · Score: 1

      Seriously. Unless all you need is a Geocities-type page with some static text and animated GIFs on the cheap, stay away from WordPress and Drupal!

      Not true! They can be used to generate static sites quite safely. :)

    2. Re:What versions are vulnerable? by Tablizer · · Score: 4, Insightful

      What's the alternative, roll-your-own CMS's? I've done those, and you are always re-inventing features that come standard or are pluggins in established CMS's as management/customers keep asking for new features.

      I've found security mistakes in my own code because of typical human error that inherently pops up when dealing with complexity. There may indeed be some security-thru-obscurity from DIY, but it just seems another form of gambling.

      I believe the best way to go is to outsource the basic CMS hosting and patching to an experienced vendor who is contractually obligated to patch timely, and verify that they do it via random spot checking.

      Because they run lots CMS instances, they should have the scripts and expertise to patch with some degree of economies-of-scale such that the expenses of timely patching shouldn't be too costly for them.

      Plus, they are likely to have somebody there Sunday at 3am to patch so that you don't have come in at 3am to patch yourself in order to keep the system up during normal hours.

      But, I don't have enough experience with that approach to render a final judgment. If anyone can recommend vendors who fit that bill based on experience, that would be great.

      --
      Table-ized A.I.
    3. Re:What versions are vulnerable? by Jason+Levine · · Score: 1

      I run plenty of WordPress websites and they aren't too difficult to secure if you put a little effort into it. In this case, the big problem was that they didn't run updates. The site was running 4.1 instead of the latest version (4.4.2). It should have been updated long ago. (4.1.1 was released February 2015 and 4.2 was out in April 2015.) The same goes for plugins (which you should use as sparingly as possible since it not only increases security risks but can add to load time.) You can also install plugins to protect against various security holes - such as brute force login attempts. And don't use "admin" or your site's name as your admin username unless you want your site hacked. About 90% of the bad login attempts I see are "admin", "administrator", or the site's name.

      A few years ago, my company's WordPress websites were hit by a would-be hacker. He was trying everything to get in, but couldn't because I put thought into the security of the site. He did manage to slow down the web servers when he hit them with 10,000+ attempts in an hour (before we traced his IP address and blocked him), but that was it. This isn't to say that you can make a WordPress site unhackable - no website is unhackable - but you can make it hack-proof enough that most malicious individuals will go elsewhere.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    4. Re:What versions are vulnerable? by HammerToe · · Score: 1

      ...or just use something that was designed better in the first place, and ore secure by default... like Plone.

      -Matt

    5. Re:What versions are vulnerable? by RoloDMonkey · · Score: 1

      Instead of just taking pot shots, can you suggest an alternative?

      Drupal is usually not the right solution for a "brochure" site. But, when done right, it can work very well as a portal for a more complex application, which is how it was being used in this case.

      --
      Long live the Speaker Bracelet
      Rolo D. Monkey
    6. Re:What versions are vulnerable? by dave420 · · Score: 1

      FTP! Cute!

    7. Re:What versions are vulnerable? by Tablizer · · Score: 1

      Can you name one that has a good reputation, well road-tested, and works with large orgs?

      --
      Table-ized A.I.
    8. Re:What versions are vulnerable? by Tablizer · · Score: 1

      You are arguing against economies of scale, essentially. While great job security, it strikes me as economically illogical to reinvent everything just for security.

      --
      Table-ized A.I.
  10. Interesting how the outed reacted by Lead+Butthead · · Score: 4, Interesting

    The Russians goes on the offensive in the domestic media, accusing the dox were faked by CIA trying to smear his good name.
    The Chinese censors it in their domestic media.
    The Ice Lander protests and their Prime Minister resigns.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
    1. Re:Interesting how the outed reacted by houghi · · Score: 1

      And the Americans go 'Meh' and continue as before as they know nothing will come of it after the few first headlines.

      So what are the big US names involved? Or do they not need these kinds of structures as they have other ways of not paying taxes?

      --
      Don't fight for your country, if your country does not fight for you.
    2. Re:Interesting how the outed reacted by monkeyxpress · · Score: 3, Interesting

      So what are the big US names involved? Or do they not need these kinds of structures as they have other ways of not paying taxes?

      Next week, apparently. The first round was just to get westerners interested in what would have otherwise been a bit of a flash in the pan 'revelation' that rich people don't pay tax. Most people wouldn't have been interested as the details are complex, and they would have figured such schemes are just part of being rich. The Chinese, Russian and Icelandic reactions to the news have succeeded in getting the common westerner's ears pricked up to the thought that this could be a very big scandal indeed.

      We will see what happens. I suspect David Cameron might be done next week. He is playing extremely strategic word games about his situation, and I can't see why he would bother being so meticulous unless he is concerned something has a good chance of coming out. I suspect he has a very big skeleton in his closet, and is being very careful to ensure he can only be labelled a hypocrite, not an outright liar.

    3. Re:Interesting how the outed reacted by ficuscr · · Score: 1

      This is worth a read. "Corporate Media Gatekeepers Protect Western 1% From Panama Leak" It explains the methodology used in searching the documents. https://www.craigmurray.org.uk...

  11. Wow by tom229 · · Score: 1

    This kind of puts to rest all those new world order conspiracy theories doesn't it? I mean, they can't be that brilliant if they can't even fucking update WordPress once a month. It's literally a calendar reminder to click a button.

    --
    If it ain't broke, don't fix it.
    1. Re:Wow by DNS-and-BIND · · Score: 2
      ...and then the moment you click update, your site goes blank because the update changed the way WP/Drupal works. Either your theme or one of your plugins needs to be updated, and you'd better pray that the developer is still around and issuing updates. Otherwise, it's back to the drawing board as you try to figure out what exactly went wrong and how to fix it. I hope you're a coder skilled in tracing and bugfixing instead of an ordinary Wordpress user who installed the software because it was easy to do! If you are LUCKY, you get an email like the following. If not, you're screwed.

      Hello,

      I am Wayne the designer of the Wordpress Slidingdor theme and you are recieving this email because you have at some time signed up for support at the Slidingdoor support page.

      The latest WordPress 4.4 update broke the SlidingDoor theme.

      It may be that you are no longer using the Slidingdoor wordpress theme, in which case you can disregard the rest of this email.

      But if you are using the Slidingdoor theme, it's better that you find this out before your website crashes.

      This is an urgent issue, and this is a one-off email.

      If you upgrade to WordPress 4.4 before you upgrade to the latest Slidingdoor theme then the Wordpress update will break the SlidingDoor theme and your website will go blank.

      There is a simple fix: I have released an update to the slidingdoor theme which is available for download at wordpress.org.

      https://wordpress.org/themes/s...

      Just click on 'download' or from within your wordpress installation just go to Appearance, Themes, and Update.

      You need to upgrade the sliding door theme BEFORE you upgrade to WordPress 4.4.

      Some people may have already upgraded to Wordpress 4.4 and if you have an old version of Slidigndoor you may now have a blank screen.

      If this has happened, the way to fix it is to FTP into your site and upload the new updated theme by hand OR log in directly to the wordpress admin page.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  12. Scaring The Others Into Better Security? by Freshly+Exhumed · · Score: 2

    This public outing of Mossack Fonseca's pathetic computer security will have the unfortunate consequence of convincing the rest of the firms in that line of work to get more serious about their own. For those who want greater transparency in the world of tax havens this hack of Mossack Fonseca might be a wrench in the works.

    --
    I deny that I have not avoided attaining the opposite of that which I do not want.
    1. Re:Scaring The Others Into Better Security? by gweihir · · Score: 1

      Your comment is so stupid, it is staggering.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Scaring The Others Into Better Security? by houstonbofh · · Score: 1

      You don't understand that people are more likely to buy a fire extinguisher after watching the building next door burn down?

    3. Re:Scaring The Others Into Better Security? by gweihir · · Score: 1

      I am referring to the idea that bad IT security would mean "better transparency".

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Scaring The Others Into Better Security? by HornWumpus · · Score: 1

      It clearly did in this case, not the first time ether.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    5. Re:Scaring The Others Into Better Security? by gweihir · · Score: 1

      No, it did not. It did point out a serious problem, but "transparency" is something else than getting a huge, unstructured and very likely incomplete data-dump to the press.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Scaring The Others Into Better Security? by HornWumpus · · Score: 1

      There are other forms of 'transparency', but this qualifies. All data is subject to manipulation. This data should not be accepted at face value, but no data should.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  13. Air Gap anyone? by PPH · · Score: 2

    What the hell is sensitive client data doing on an Internet connected machine?

    --
    Have gnu, will travel.
    1. Re:Air Gap anyone? by aberglas · · Score: 2

      Air gaps aren't enough. The Iranian centrifuges were air gapped.

    2. Re:Air Gap anyone? by PPH · · Score: 1

      The Iranian centrifuges were air gapped.

      Stuxnet was a one way payload. It only had to get on to the controllers. At Mossack Fonseca, the object was to get data back out.

      --
      Have gnu, will travel.
  14. Obligatory Simpsons by antifoidulus · · Score: 1

    So they were running essentially an automatic version of this guy

    --
    Monstar L
  15. Wordpress vulnerabilities by JustAnotherOldGuy · · Score: 1

    Wordpress vulnerabilities - for once they're a help and not a hindrance.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  16. Bernie Sanders warned us about this by JustAnotherOldGuy · · Score: 5, Informative

    Bernie Sanders warned us about this back in 2011 or so...

    https://www.youtube.com/watch?...

    Sanders made a speech on the Senate floor in October of 2011 that warned that a proposed trade agreement with Panama would open the floodgates of American money flowing into off-shore tax havens, a plea that ultimately fell on deaf ears as the agreement was signed by President Barack Obama later that year.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Bernie Sanders warned us about this by houghi · · Score: 1

      I do not think it fell on flat ears. All others thought it was a good idea and liked that they got confirmation that it would work as intended.

      --
      Don't fight for your country, if your country does not fight for you.
    2. Re: Bernie Sanders warned us about this by JustAnotherOldGuy · · Score: 1

      Bernie Sanders in 12,000BC warned us this fire thing would come back to bite us!

      And damn if he wasn't right about that too.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  17. This hacker needs to be punished severely by aberglas · · Score: 3, Funny

    I hope they catch them and throw the book at them. Life imprisonment at least.

    They have embarrassed more very powerful people than Snowden and Assange combined. This type of activity must be stopped.

    1. Re:This hacker needs to be punished severely by Jason+Levine · · Score: 2

      You see, those rich people were hiding the money so terrorists wouldn't find it. But now that the terrorists know where the money is, the terrorists might take it and use it for terrorism. Have I said "terrorists/terrorism" enough times now to get you everyone against these hackers? Terrorism. Terrorism. Terrorism. Terrorists. Terrorism. Terrorism. How about how?

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  18. Windows not to blame for Panama Papers breach? by khz6955 · · Score: 1

    There apps are only as secure as the underlying Operating System and PLATFORM they run on, which in the case of WinTEL means not secure at all.

  19. Guess they had no money for IT security by gweihir · · Score: 2

    With them optimizing profits, they probably had no money for IT security to spare. Save a million, lose a billion (or rather more in this instance). The fatal combination of greed and stupidity at its finest. Will not be the last instance of something this large happening due to non-understanding of IT security.

    When the first successful hack costs you everything, learning from experience is not a good strategy. Consulting and listening to some (admittedly expensive, but worth it) real experts may be a good idea.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Guess they had no money for IT security by jafiwam · · Score: 1

      With them optimizing profits, they probably had no money for IT security to spare. Save a million, lose a billion (or rather more in this instance). The fatal combination of greed and stupidity at its finest. Will not be the last instance of something this large happening due to non-understanding of IT security.

      When the first successful hack costs you everything, learning from experience is not a good strategy. Consulting and listening to some (admittedly expensive, but worth it) real experts may be a good idea.

      It was stupid decision making not just money. Though being cheap had a big part to play.

      A law firm web site doesn't change fast enough or often enough to do anything more than a folder full of traditional HTML files, JavaScript, CSS and images.

      They could have used something like that and head off 99.99% of the potential problems.

      Someone probably heard WP was "easy" and it wasn't even an IT guy at all that set it up. The reality is, WP is about as much work and learning as getting up to speed on HTML and CSS. Except, of course, lots of the knowledge doesn't translate to other stuff and it's web based, therefore feels easier.

      WordPress. By the time you have learned enough to get GOOD at it, you could have learned to code the site in Notepad.

    2. Re:Guess they had no money for IT security by Jason+Levine · · Score: 1

      WordPress can be easy, but that doesn't mean that you don't need to know anything about websites/security to run a site. Especially if your site is "protecting" information on huge financial transactions. For most people, not updating their WordPress site just means that some joker puts "Powned By Hakors" on it. Annoying but ultimately not a huge impact. The bigger your site, though, the more you can't just say "we'll use X because it's easy and won't think about anything else." This is true regardless of what platform you use.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  20. Re:travel ban.... by gweihir · · Score: 1

    Naaaa, sounds like the first person above script-kiddy level got in. Boring from a technological point-of-view. Even a reasonably done simplistic penetration-test would probably have shown how bad things are. I guess they had no money for that with them all busy getting rich.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  21. Biggest contributor to Panama breach: by tlambert · · Score: 4, Insightful

    Biggest contributor to Panama breach:

    People doing illegal things in the first place.

  22. Re:Outlook web access 2009? by houstonbofh · · Score: 1

    "The firm ran its unencrypted emails through an outdated (2009) version of Microsoft's Outlook Web Access."

    Looks like a release date and not a title to me...

  23. Not convinced by El_Muerte_TDS · · Score: 3, Interesting

    We're talking about 2.6TB of data here, 11.5 million documents, photos, scans, and emails created over a time span of 1970 til now, received in batches during a year.
    I highly doubt some external used an exploit in customer facing portals to download this many individual files.

    1. Re:Not convinced by jafiwam · · Score: 1

      Law firms like to put all that stuff in a big database (or two.)

      Chances are someone got that, or backup files of it and just set the download to run slowly over a couple of weeks so nobody noticed network slowdown.

      You only gotta get it out once.

    2. Re:Not convinced by ole_timer · · Score: 1

      John Bachelor said last night that the US did it to embarrass the Chinese...makes parallel construction seem like child's play

      --
      nothing to see here - move along
  24. Server split? by Tablizer · · Score: 1

    Why is customer account info on a WCMS? The public-facing stuff should be hosted separate from the private/internal stuff (like customer accounts) such that if your public WCMS is breached, the private stuff should be protected. There should be a fire-wall between the public host and the private customer data hosts/servers. You wouldn't put customer details on a public WCMS normally. Your public site is a sales-ish tool.

    For biz-to-biz transactions, typically a CRUD-centric tool would be used, not a WCMS.

    That is unless they co-hosted too many different concerns on the same server or LAN/WAN, which is a sin at least as big as not patching WCMS.

    --
    Table-ized A.I.
  25. Health consquences of breach by gijoel · · Score: 1

    I suspect that there's going to be a sudden outbreak of spontaneous Polonium poisoning in Panama due to this leak.

  26. Utter Horseshit! by Anonymous Coward · · Score: 4, Insightful

    1. Even in the highly unlikely scenario that Wordpress was installed on the same system as Outlook Web Access, it would not provide access to the Exchange email system.

    2. There is nothing wrong with "outdated 2009" Outlook Web Access. That would be either Excahange 2007 or more likely Exchange 2010. Both are still fully supported and do not suffer any egregious vulnerabilities that would allow co-installed Wordpress to access the Exchange Server.

    3. Encrypted email? Who the fuck does that? No one, that's who. Let's not bother with any pretentious or condescending horseshit. Probably half of the world's email sits on Exchange servers, corporate on-premise or Office365/Outlook.com/Hotmail... None of it is encrypted at rest. Despite the available option and Google's recent TLS push, SMTP is not generally not encrypted. So, email in flight is even more open than at rest. This is the way it is everywhere and is not a major security issue.

    4. The Panama Papers consist of 2.6 TERABYTES of data! Have you ever tried to push or pull that much data over the internet? It is a huge undertaking, even with very high speed connections. While technically possible, it is unlikely that that much data was siphoned off remotely, especially form slow-ass Exchange servers.

    This entire article is pure fantastical supposition and utter horseshit. 2.6TB of Exchange emails DID NOT come through any Wordpress exploit. This data almost certainly came from an inside source and was walked out on a USB external drive which itself would have taken over 36 hours to copy the data to.

    This "story" is utter horseshit. Just like the international outrage over legal financial activities. It's all manufactured nonsense.

    1. Re:Utter Horseshit! by jittles · · Score: 3, Insightful

      Oh please. That Telestra customer pushed 1 TB of the Panama papers over his LTEx4 connection just this last Sunday.

    2. Re:Utter Horseshit! by jtanium · · Score: 1

      2. There is nothing wrong with "outdated 2009" Outlook Web Access. That would be either Excahange 2007 or more likely Exchange 2010. Both are still fully supported and do not suffer any egregious vulnerabilities that would allow co-installed Wordpress to access the Exchange Server.

      Minor quibble, but as I read the summary, where I saw "outdated" I thought "unpatched," and it seems quite reasonable that an Exchange 2007/2010 server without the latest patches could suffer egregious vulnerabilities. Unsupported and unpatched would probably be better words.

  27. Most hacks are due to outdated CMS packages by SmSlDoo · · Score: 1

    So many servers run ancient versions of popular CMS packages and then wonder why their server constantly gets hacked.
    Heaven forbid they are running WHMCS on a box with other websites (quickest way to get rooted).

    It got so bad for us here, I had to write a script to scan customer servers just to find all of the outdated packages.
    It amazes me to read some of the reports, seeing sites running decade old software is not uncommon.

    Still is a battle to get people to actually update their sites once they have been notified about running old software.

  28. More technical info on Panama Papers by kbahey · · Score: 1

    There is more technical details in this article.

    They are running a 2013 version of Drupal that is vulnerable to SQL injection (dubbed Drupalgeddon).

    They are also running an Oracle HTTP server too. That web server seems to be ignoring the .htaccess setup by Drupal, and returns back the entire code of the .module files, and listings of directories, and such.

    More interesting is how ICIJ setup their own collaboration around the documents using open source software, like VeraCrypt (fork of TruCrypt), Backlight (Ruby On Rails tool to index documents in Apache Solr), and Oxwall (a social media type of thing).

    --
    2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
  29. lots of info on the Mossack issues & code here by HongPong · · Score: 1

    This has a lot of detailed information about the problems with Mossack Fonseca client portal: http://www.unicornriot.ninja/?... including the possibility of using the website vulns to get into Oracle.

    --
    --hongpong.com
  30. Re:Proof Of Illegal Thinsg? by tlambert · · Score: 1

    What we still don't seem to have, is proof of any actual crimes.

    Public outrage over morally questionable selfishness is pointless stupidity. Where is the crime? Where is the proof?

    Actually, we have the proof. It's in the data dumps.

    The actual actions involved are illegal tax shelters. These work for corporations because they are, in fact, legal. They also work for high net worth individuals, but only if they are willing to relocate their residence outside their home country for a period of time.

    For the U.S., the magic number is ~191 days a year (indisputably, at least 51% of their time). For other countries, the numbers are different.

    In all cases, however, the general rule is that you want to establish a legal tax shelter. And if you can't ... well, some people *still* don't want to pay taxes, and instead establish illegal tax shelters.

    The primary reason that there are not a lot of U.S. individuals on the disclosure list is that most of these schemes were shut down in the U.S. about a decade ago (closer to 2004/2005, so add a couple of years to that). Now it's the turn of the rest of the world.

    Here's an example from 2004 for the U.S..

    The way the scheme operates is to relocate a business and your primary legal residence to an economic development zone (EDZ), which saves you 90% (as an exemption) on your federal income tax, if you employ a certain number of people in a business. Only the rules were pretty lax, and a lot of people didn't meet the 190+ days a year requirement, because they tried to count actually living in the U.S. as "vacation time".

    As part of the laxity of those rules, you didn't have to personally employ the people, instead you could buy into a co-op that employed that number of people (what they did or didn't do really didn't matter -- the rules were lax), buy a vacation home in the area, and live there as much as you could.

    Now it should be noted that not every co-op was a tax shelter scam, and there were people who in fact met the 190+ day requirement, and owned businesses in the EDZ's, that employed the required number of people. In addition, a number of the co-ops that were being used as scam shelters, actually had these honest people involved in them as well -- both as protective covering, and because it was handy to have the co-op deal with the details of the paperwork.

    One of these shelters was "Kapok" in the U.S. Virgin Islands, which were an EDZ at the time, and remained so for about a decade.

    The point is that, just because there are good apples, doesn't mean that there are not also rotten apples, and it's pretty clear that this disclosure, even for those which are not engaged themselves in illegal activity, is going to rip the bandaid off what is, at least in areas, a festering wound.

    If you want to read more about Kapok, specifically, here's an article from 2004: http://amarillo.com/stories/20...

    P.S.: if you want to know about how to legally take advantage of a tax loophole opened by Prop 13in California, at the last minute, by the Kaiser Family Foundation, I can enlighten you on that as well, but be aware, you pretty much have to be a rather large property holder (like the KFF) to take reasonable advantage of it. There are also some pretty careful zoning hurdles you have to pass ... but it's doable.