Slashdot Mirror

← Back to Stories (view on slashdot.org)

Outdated and Vulnerable WordPress, Drupal Versions Contributed To Panama Papers Breach (wptavern.com)

Posted by BeauHD on from the contributing-factors dept.

An anonymous reader quotes a report from WordPress Tavern: Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications. The firm ran its unencrypted emails through an outdated (2009) version of Microsoft's Outlook Web Access. Outdated open source software running the frontend of the firm's websites is also now suspected to have provided a vector for the compromise. Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak. [WordPress Tavern Editor Sarah Gooding] found that the firm's WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn't been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server.

32 of 155 comments (clear)

  1. Medal winner? by Lead+Butthead · · Score: 3, Insightful

    We should give that person a medal for handing those dox to the press...

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
    1. Re:Medal winner? by Shrike82 · · Score: 2

      Radio news report from the BBC indicated that the US names will be released next week. Not sure why they're being delayed though. Maybe something to do with that election that they're having...

      --
      You can advertise in this sig from as little as £99.99 a month!
    2. Re:Medal winner? by DarkOx · · Score: 3, Insightful

      The answer is probably that FATCA probably works.

      What I find really telling is Obama's reaction. Never mind how little evidence there was that American's were using off shore accounts to evade taxation, he just knows, they are doing it! We need more regulations! He says all this after his own secretary of state (Hillary Clinton) recently negotiated a trade pact with Panama which will make it easier to do exactly that sort of cheating. An agreement which he then signed into law.

      The take away, anything is an excuse for more regulation on the left. That regulation will of course be careful engineered to fall on us ordinary middle class folks and an handful of wealthy industrialists they don't like while not touching their elite friends in Hollywood, Politics, Law, and Academia. Like always some folks will be a little more equal.

      At least when the GOP, "just cuts tax rates" I get to enjoy some of the benefit. Sure maybe not to the tune the industrial owner class enjoys but I get something. The fact that the benefit is so unequal has as much to do with the existing structure again enacted by progressives and liberals too.

      Lets continue to starve the beast and if we can get it small enough to fit into the tube lets drown it!

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    3. Re:Medal winner? by whoever57 · · Score: 2

      At least when the GOP, "just cuts tax rates" I get to enjoy some of the benefit. Sure maybe not to the tune the industrial owner class enjoys but I get something.

      Maybe you do get reduced tax payments, but you also suffer from reduced government spending. You suffer from regulations that don't get enforced, allowing things like companies to destroy the environment. You suffer from Wall Street ignoring regulations that are not enforced. You suffer in many ways, which likely outweigh the small benefit you get from reduced tax rates.

      --
      The real "Libtards" are the Libertarians!
    4. Re:Medal winner? by nbauman · · Score: 2

      One of the beasts that the Republicans starved was the IRS fraud investigators.

      The IRS discovered wholesale tax fraud by organizations claiming to be 401(c) organizations illegally using their tax-deductible contributions for political campaigns.

      Many of these organizations had "Tea Party" and "Patriot" in the name, so the IRS used those key words to find applications to investigate http://www.motherjones.com/pol... It's as if you searched for organizations with "Jihad" in the name to find terrorists.

      The Tea Party organizations and their Republican campaign fund recipients didn't like it when they got caught, so they responded by cutting the IRS budget. These were broad cuts, not only for fraud investigations but also for simple things like 800-number information lines (which they discontinued).

      It got so bad that the IRS' Taxpayer Advocate, Nina Olson, blasted the IRS taxpayer services in her annual report as inadequate.

      That's what happens when you starve the beast. You don't have any more government services. The only people who benefit are people who are committing fraud.

  2. Law Firms are Cheap by jafiwam · · Score: 5, Insightful

    Every law firm I have ever had tangential contact in an IT role has always been stupid cheap cheap cheap and self-righteous and arrogant about it. I don't do business with law firms just because of the headaches they cause friends and acquaintances about not paying, wanting the moon for a buck, etc.

    A breach like this is not an unexpected result.

    1. Re: Law Firms are Cheap by johnsmithperson123 · · Score: 3, Insightful

      It's the same in government, excepting the NSA of course. They all skimp out on IT and most of them get hacked in the end. Look at State and OPM. Face it, the pay scale is broken for IT. Government is having issues- schools don't like to think they need to pay IT more than administrators, FBI doesn't want to pay IT more than agents. So they all have lousy IT tech.

    2. Re:Law Firms are Cheap by buchner.johannes · · Score: 2

      I doubt though that it was a hack, it suspect it might as well be an insider. I mean, it would be so much easier to fetch those 3TB as a employee or contractor than through the website (which as far as we know might not even be connected to the data trove).

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    3. Re:Law Firms are Cheap by Gumbercules!! · · Score: 4, Insightful

      You know, this is true in my experience, too. I've worked with 3 law firms in the past, one of who is actually massive, and they were all mind blowing cheapskates. One place we tried to get work from charges barristers out at something near $1,000 an hour - and refused to pay an IT company more than $50. They said that kind of work wasn't worth more than that. I literally walked out. Another place was involved in a Royal Commission (a very big deal in Australia) and they had a single, 7 year old server running Linux with Samba emulating an NT domain (for a totally Windows environment) not because they believe in Linux but because they wouldn't spring for a Windows Server license.

    4. Re:Law Firms are Cheap by stridebird · · Score: 2

      "they had a single, 7 year old server running Linux with Samba emulating an NT domain (for a totally Windows environment) not because they believe in Linux but because they wouldn't spring for a Windows Server license."

      Failing to see the fail here. Of course, if you mean 7-year old unpatched or orphaned software then you have a point. but samba on linux serving files to MS - it does that rather well.

    5. Re:Law Firms are Cheap by Heart44 · · Score: 2

      My experience too with law firms and accountants. I have a feeling they hate paying by the hour.

      I wonder why ...

  3. I'm not surprised... by __aaclcg7560 · · Score: 5, Interesting

    Keeping multiple WordPress websites up to date has become such a nuisance that I'm converting the older ones to static websites. Those 4,000+ hackers per day have nothing to hack at a static website and go away to find easier targets.

    1. Re:I'm not surprised... by __aaclcg7560 · · Score: 3, Interesting

      Seems pretty simple to me

      You still have to log in, respond to any post-update screen messages, and make sure nothing else is broken. Multiple that by a half-dozen WordPress websites, it becomes a lot of work. A static website doesn't require that much housekeeping.

  4. Re:Authorities have not yet identified the hac.... by bloodhawk · · Score: 2

    these havens house nearly a quarter of all companies in existence on the planet. I find it highly suspicious that so far no one of significance form the US has been outed. Even Australia has 800 people identified in there. It seems of having being scrubbed before being released to the press.

  5. What versions are vulnerable? by Ark42 · · Score: 3, Insightful

    How do you know if your WordPress or Drupal site is vulnerable? If the version number is greater than zero of course!

    Seriously. Unless all you need is a Geocities-type page with some static text and animated GIFs on the cheap, stay away from WordPress and Drupal!

    --
    Morphing Software
    1. Re:What versions are vulnerable? by Tablizer · · Score: 4, Insightful

      What's the alternative, roll-your-own CMS's? I've done those, and you are always re-inventing features that come standard or are pluggins in established CMS's as management/customers keep asking for new features.

      I've found security mistakes in my own code because of typical human error that inherently pops up when dealing with complexity. There may indeed be some security-thru-obscurity from DIY, but it just seems another form of gambling.

      I believe the best way to go is to outsource the basic CMS hosting and patching to an experienced vendor who is contractually obligated to patch timely, and verify that they do it via random spot checking.

      Because they run lots CMS instances, they should have the scripts and expertise to patch with some degree of economies-of-scale such that the expenses of timely patching shouldn't be too costly for them.

      Plus, they are likely to have somebody there Sunday at 3am to patch so that you don't have come in at 3am to patch yourself in order to keep the system up during normal hours.

      But, I don't have enough experience with that approach to render a final judgment. If anyone can recommend vendors who fit that bill based on experience, that would be great.

      --
      Table-ized A.I.
  6. Interesting how the outed reacted by Lead+Butthead · · Score: 4, Interesting

    The Russians goes on the offensive in the domestic media, accusing the dox were faked by CIA trying to smear his good name.
    The Chinese censors it in their domestic media.
    The Ice Lander protests and their Prime Minister resigns.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
    1. Re:Interesting how the outed reacted by monkeyxpress · · Score: 3, Interesting

      So what are the big US names involved? Or do they not need these kinds of structures as they have other ways of not paying taxes?

      Next week, apparently. The first round was just to get westerners interested in what would have otherwise been a bit of a flash in the pan 'revelation' that rich people don't pay tax. Most people wouldn't have been interested as the details are complex, and they would have figured such schemes are just part of being rich. The Chinese, Russian and Icelandic reactions to the news have succeeded in getting the common westerner's ears pricked up to the thought that this could be a very big scandal indeed.

      We will see what happens. I suspect David Cameron might be done next week. He is playing extremely strategic word games about his situation, and I can't see why he would bother being so meticulous unless he is concerned something has a good chance of coming out. I suspect he has a very big skeleton in his closet, and is being very careful to ensure he can only be labelled a hypocrite, not an outright liar.

  7. Scaring The Others Into Better Security? by Freshly+Exhumed · · Score: 2

    This public outing of Mossack Fonseca's pathetic computer security will have the unfortunate consequence of convincing the rest of the firms in that line of work to get more serious about their own. For those who want greater transparency in the world of tax havens this hack of Mossack Fonseca might be a wrench in the works.

    --
    I deny that I have not avoided attaining the opposite of that which I do not want.
  8. Air Gap anyone? by PPH · · Score: 2

    What the hell is sensitive client data doing on an Internet connected machine?

    --
    Have gnu, will travel.
    1. Re:Air Gap anyone? by aberglas · · Score: 2

      Air gaps aren't enough. The Iranian centrifuges were air gapped.

  9. Bernie Sanders warned us about this by JustAnotherOldGuy · · Score: 5, Informative

    Bernie Sanders warned us about this back in 2011 or so...

    https://www.youtube.com/watch?...

    Sanders made a speech on the Senate floor in October of 2011 that warned that a proposed trade agreement with Panama would open the floodgates of American money flowing into off-shore tax havens, a plea that ultimately fell on deaf ears as the agreement was signed by President Barack Obama later that year.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  10. This hacker needs to be punished severely by aberglas · · Score: 3, Funny

    I hope they catch them and throw the book at them. Life imprisonment at least.

    They have embarrassed more very powerful people than Snowden and Assange combined. This type of activity must be stopped.

    1. Re:This hacker needs to be punished severely by Jason+Levine · · Score: 2

      You see, those rich people were hiding the money so terrorists wouldn't find it. But now that the terrorists know where the money is, the terrorists might take it and use it for terrorism. Have I said "terrorists/terrorism" enough times now to get you everyone against these hackers? Terrorism. Terrorism. Terrorism. Terrorists. Terrorism. Terrorism. How about how?

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  11. Guess they had no money for IT security by gweihir · · Score: 2

    With them optimizing profits, they probably had no money for IT security to spare. Save a million, lose a billion (or rather more in this instance). The fatal combination of greed and stupidity at its finest. Will not be the last instance of something this large happening due to non-understanding of IT security.

    When the first successful hack costs you everything, learning from experience is not a good strategy. Consulting and listening to some (admittedly expensive, but worth it) real experts may be a good idea.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Biggest contributor to Panama breach: by tlambert · · Score: 4, Insightful

    Biggest contributor to Panama breach:

    People doing illegal things in the first place.

  13. Re:Wow by DNS-and-BIND · · Score: 2
    ...and then the moment you click update, your site goes blank because the update changed the way WP/Drupal works. Either your theme or one of your plugins needs to be updated, and you'd better pray that the developer is still around and issuing updates. Otherwise, it's back to the drawing board as you try to figure out what exactly went wrong and how to fix it. I hope you're a coder skilled in tracing and bugfixing instead of an ordinary Wordpress user who installed the software because it was easy to do! If you are LUCKY, you get an email like the following. If not, you're screwed.

    Hello,

    I am Wayne the designer of the Wordpress Slidingdor theme and you are recieving this email because you have at some time signed up for support at the Slidingdoor support page.

    The latest WordPress 4.4 update broke the SlidingDoor theme.

    It may be that you are no longer using the Slidingdoor wordpress theme, in which case you can disregard the rest of this email.

    But if you are using the Slidingdoor theme, it's better that you find this out before your website crashes.

    This is an urgent issue, and this is a one-off email.

    If you upgrade to WordPress 4.4 before you upgrade to the latest Slidingdoor theme then the Wordpress update will break the SlidingDoor theme and your website will go blank.

    There is a simple fix: I have released an update to the slidingdoor theme which is available for download at wordpress.org.

    https://wordpress.org/themes/s...

    Just click on 'download' or from within your wordpress installation just go to Appearance, Themes, and Update.

    You need to upgrade the sliding door theme BEFORE you upgrade to WordPress 4.4.

    Some people may have already upgraded to Wordpress 4.4 and if you have an old version of Slidigndoor you may now have a blank screen.

    If this has happened, the way to fix it is to FTP into your site and upload the new updated theme by hand OR log in directly to the wordpress admin page.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  14. Not convinced by El_Muerte_TDS · · Score: 3, Interesting

    We're talking about 2.6TB of data here, 11.5 million documents, photos, scans, and emails created over a time span of 1970 til now, received in batches during a year.
    I highly doubt some external used an exploit in customer facing portals to download this many individual files.

  15. Re:Authorities have not yet identified the hac.... by Morris+von+Habsburg · · Score: 4, Informative

    But why would an American go to Panama if they can just go to Delaware?

    The people that use services in Panama do that because their local jurisdiction is on the ball w.r.t. tax evasion...

  16. Utter Horseshit! by Anonymous Coward · · Score: 4, Insightful

    1. Even in the highly unlikely scenario that Wordpress was installed on the same system as Outlook Web Access, it would not provide access to the Exchange email system.

    2. There is nothing wrong with "outdated 2009" Outlook Web Access. That would be either Excahange 2007 or more likely Exchange 2010. Both are still fully supported and do not suffer any egregious vulnerabilities that would allow co-installed Wordpress to access the Exchange Server.

    3. Encrypted email? Who the fuck does that? No one, that's who. Let's not bother with any pretentious or condescending horseshit. Probably half of the world's email sits on Exchange servers, corporate on-premise or Office365/Outlook.com/Hotmail... None of it is encrypted at rest. Despite the available option and Google's recent TLS push, SMTP is not generally not encrypted. So, email in flight is even more open than at rest. This is the way it is everywhere and is not a major security issue.

    4. The Panama Papers consist of 2.6 TERABYTES of data! Have you ever tried to push or pull that much data over the internet? It is a huge undertaking, even with very high speed connections. While technically possible, it is unlikely that that much data was siphoned off remotely, especially form slow-ass Exchange servers.

    This entire article is pure fantastical supposition and utter horseshit. 2.6TB of Exchange emails DID NOT come through any Wordpress exploit. This data almost certainly came from an inside source and was walked out on a USB external drive which itself would have taken over 36 hours to copy the data to.

    This "story" is utter horseshit. Just like the international outrage over legal financial activities. It's all manufactured nonsense.

    1. Re:Utter Horseshit! by jittles · · Score: 3, Insightful

      Oh please. That Telestra customer pushed 1 TB of the Panama papers over his LTEx4 connection just this last Sunday.

  17. Re:Authorities have not yet identified the hac.... by GuB-42 · · Score: 2

    From a French journal, the possible reasons for the lack of US based names :
    - Mossack Fonseca is not the only player.
    - US taxation is lower than the average in OECD countries
    - FACTA
    - The US have their own tax heavens