Slashdot Mirror

← Back to Stories (view on slashdot.org)

Outdated and Vulnerable WordPress, Drupal Versions Contributed To Panama Papers Breach (wptavern.com)

Posted by BeauHD on from the contributing-factors dept.

An anonymous reader quotes a report from WordPress Tavern: Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications. The firm ran its unencrypted emails through an outdated (2009) version of Microsoft's Outlook Web Access. Outdated open source software running the frontend of the firm's websites is also now suspected to have provided a vector for the compromise. Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak. [WordPress Tavern Editor Sarah Gooding] found that the firm's WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn't been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server.

9 of 155 comments (clear)

  1. Law Firms are Cheap by jafiwam · · Score: 5, Insightful

    Every law firm I have ever had tangential contact in an IT role has always been stupid cheap cheap cheap and self-righteous and arrogant about it. I don't do business with law firms just because of the headaches they cause friends and acquaintances about not paying, wanting the moon for a buck, etc.

    A breach like this is not an unexpected result.

    1. Re:Law Firms are Cheap by Gumbercules!! · · Score: 4, Insightful

      You know, this is true in my experience, too. I've worked with 3 law firms in the past, one of who is actually massive, and they were all mind blowing cheapskates. One place we tried to get work from charges barristers out at something near $1,000 an hour - and refused to pay an IT company more than $50. They said that kind of work wasn't worth more than that. I literally walked out. Another place was involved in a Royal Commission (a very big deal in Australia) and they had a single, 7 year old server running Linux with Samba emulating an NT domain (for a totally Windows environment) not because they believe in Linux but because they wouldn't spring for a Windows Server license.

  2. I'm not surprised... by __aaclcg7560 · · Score: 5, Interesting

    Keeping multiple WordPress websites up to date has become such a nuisance that I'm converting the older ones to static websites. Those 4,000+ hackers per day have nothing to hack at a static website and go away to find easier targets.

  3. Interesting how the outed reacted by Lead+Butthead · · Score: 4, Interesting

    The Russians goes on the offensive in the domestic media, accusing the dox were faked by CIA trying to smear his good name.
    The Chinese censors it in their domestic media.
    The Ice Lander protests and their Prime Minister resigns.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
  4. Bernie Sanders warned us about this by JustAnotherOldGuy · · Score: 5, Informative

    Bernie Sanders warned us about this back in 2011 or so...

    https://www.youtube.com/watch?...

    Sanders made a speech on the Senate floor in October of 2011 that warned that a proposed trade agreement with Panama would open the floodgates of American money flowing into off-shore tax havens, a plea that ultimately fell on deaf ears as the agreement was signed by President Barack Obama later that year.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  5. Biggest contributor to Panama breach: by tlambert · · Score: 4, Insightful

    Biggest contributor to Panama breach:

    People doing illegal things in the first place.

  6. Re:What versions are vulnerable? by Tablizer · · Score: 4, Insightful

    What's the alternative, roll-your-own CMS's? I've done those, and you are always re-inventing features that come standard or are pluggins in established CMS's as management/customers keep asking for new features.

    I've found security mistakes in my own code because of typical human error that inherently pops up when dealing with complexity. There may indeed be some security-thru-obscurity from DIY, but it just seems another form of gambling.

    I believe the best way to go is to outsource the basic CMS hosting and patching to an experienced vendor who is contractually obligated to patch timely, and verify that they do it via random spot checking.

    Because they run lots CMS instances, they should have the scripts and expertise to patch with some degree of economies-of-scale such that the expenses of timely patching shouldn't be too costly for them.

    Plus, they are likely to have somebody there Sunday at 3am to patch so that you don't have come in at 3am to patch yourself in order to keep the system up during normal hours.

    But, I don't have enough experience with that approach to render a final judgment. If anyone can recommend vendors who fit that bill based on experience, that would be great.

    --
    Table-ized A.I.
  7. Re:Authorities have not yet identified the hac.... by Morris+von+Habsburg · · Score: 4, Informative

    But why would an American go to Panama if they can just go to Delaware?

    The people that use services in Panama do that because their local jurisdiction is on the ball w.r.t. tax evasion...

  8. Utter Horseshit! by Anonymous Coward · · Score: 4, Insightful

    1. Even in the highly unlikely scenario that Wordpress was installed on the same system as Outlook Web Access, it would not provide access to the Exchange email system.

    2. There is nothing wrong with "outdated 2009" Outlook Web Access. That would be either Excahange 2007 or more likely Exchange 2010. Both are still fully supported and do not suffer any egregious vulnerabilities that would allow co-installed Wordpress to access the Exchange Server.

    3. Encrypted email? Who the fuck does that? No one, that's who. Let's not bother with any pretentious or condescending horseshit. Probably half of the world's email sits on Exchange servers, corporate on-premise or Office365/Outlook.com/Hotmail... None of it is encrypted at rest. Despite the available option and Google's recent TLS push, SMTP is not generally not encrypted. So, email in flight is even more open than at rest. This is the way it is everywhere and is not a major security issue.

    4. The Panama Papers consist of 2.6 TERABYTES of data! Have you ever tried to push or pull that much data over the internet? It is a huge undertaking, even with very high speed connections. While technically possible, it is unlikely that that much data was siphoned off remotely, especially form slow-ass Exchange servers.

    This entire article is pure fantastical supposition and utter horseshit. 2.6TB of Exchange emails DID NOT come through any Wordpress exploit. This data almost certainly came from an inside source and was walked out on a USB external drive which itself would have taken over 36 hours to copy the data to.

    This "story" is utter horseshit. Just like the international outrage over legal financial activities. It's all manufactured nonsense.