back to article Panama Papers hack: Unpatched WordPress, Drupal bugs to blame?

The extraordinary leak of documents from law firm Mossack Fonseca that has spun a spotlight on the tax-avoiding efforts by the world's elite was likely the result of unpatched content management systems (CMSes). A slew of stories this past week drawn from the 11.5 million documents and 2.6TB of data have seen the prime …

  1. Crazy Operations Guy

    If you care about security

    For those that care about security, like Mossack should've, the first step to make WordPress secure would be to use "rm -rf /" and then use a much simpler and easier to secure method of publishing their website.

    To me, WordPress is pretty much Macromedia ColdFusion / Microsoft Frontpage for Web 2.0. Something that should only be used by groups so small that they can't afford someone to write a webpage for them. A company with the funds of MF should have a full-time web development team that manually updates their website rather than using a CMS...

    Of course, that ignores the fact that they were complete idiots and put multiple services on a single box like that, servers aren't that expensive, especially for a law firm pulling in millions a year on legal fees.

    1. theblackhand

      Re: If you care about security

      In defence of Wordpress, it is relatively easy to isolate and provides a way for non-technical people to spout their words of wisdom - if it was sitting in an environment where a compromise allowed access to key business data, then Wordpress is probably the least of the security mistakes in this story.

      A CMS on the other hand, would allow you to get both the documents and the structure and given the timeframes of about 1 year to collect the information requiring less than 1Mbps to retrieve all of the data.

      But surely given the nature of the information you are handling, sensible security precautions around authentication, application firewalling and IDS/IPS/monitoring systems would be in-place to avoid the destruction of the business...

      Ha! Yeah right...

      1. Anonymous Coward
        Anonymous Coward

        Re: If you care about security

        @Crazy Operations Guy

        I think Wordpress is pretty good...I've only ever had one hacked; and that was a disgruntled ex-employee (nobody told me was fired) that had a password. There are regular and fast security updates; and updating just involves pressing the "do it" button. You have to watch out for how well the plugins are being maintained; and also a bit of tweakery in the setup stage is a good idea; but on the whole it's pretty good to date. You can even order it to keep itself updated (if you just *know* you're turning it over to someone who will never, ever do it for themselves)...not an ideal solution; but hopefully the client will get bored of it and get it redesigned before it gets done over...it extends the life of an unattended install.

        Compare that to Drupal (and most other CMSs) where updates are infrequent and you have to take the thing to bits to update it; which doesn't encourage fast patching because it takes longer and is a pain in the helmet.

        Straight HTML is best if you're just displaying static info; but then the client needs to hire someone in to change anything.

        If you want the site to do anything; or if the user wants to be able to edit/add content themselves; there aren't many options that will touch Wordpress ***provided it's kept up to date***.

        In this particular case; it must have been a fairly fucked-up setup where compromising a website would allow you to get at the mailserver.

        1. Charlie Clark Silver badge

          Re: If you care about security

          I think Wordpress is pretty good...

          Means: "it works for you". Wordpress was in there early with and easy to install and use blog system. But to do this it made significant compromises in security because in the battle for the market convenience usually wins.

          Admittedly it's been a while since I looked at the code, but things like the plugin architecture are basically vulnerabilities waiting to be exploited. IMO you should treat all Wordpress installs open to exploitation and make sure sensitive information is not on the system.

        2. Doctor Syntax Silver badge

          Re: If you care about security

          "In this particular case; it must have been a fairly fucked-up setup where compromising a website would allow you to get at the mailserver."

          And this doesn't even come near the sheer doziness that lies behind using a mailserver as a document store.

          1. Anonymous Coward
            Anonymous Coward

            Re: If you care about security

            @Charlie Clark - Care to expand on this a little?

            I do try to keep things secure including

            -custom setup with no defaults.

            -new database and database user per site

            -Wordfence + All-In-One Wordpress Security plugins

            -Using as few plugins as I can get away with

            -Assuming that I can be compromised by anyone skilled enough

            -A couple of tweaks that I have learned along the way

            ......but I'm no coder and am always interested to learn new ways of making sites safer, if possible. I always do assume that any site can be got at with sufficient skills/money/time thrown at them; but it's not always easy to persuade clients of that.

            1. Charlie Clark Silver badge

              Re: If you care about security

              Best thing is to look at some of the exploits that have happened in the past: it's always an eye-opener.

              Do you allow uploads? Along with the DB code, the handling of files was/is always a popular vector. Best let the http server manage this whenever possible and make sure permissions are tighter than a fly's, er, wallet. ;-)

              Do you allow upgrades / installs through the admin interface? If so you must assume that your admin will be hacked so you must make sure that you have CSRF tools in place (may now be standard) but also rate limiting. Best disabling it altogether and installing stuff only via SSH – less convenient and that's the point.

              1. Anonymous Coward
                Anonymous Coward

                Re: If you care about security

                Thanks for that. I do periodically have a look at exploit sites to see what's happening

                Uploads? Public, no.

                There's (type-limited) media uploads in the admin panels. I used to stuff media in the back with SFTP; but wordpress gets all pissy about that these days. Upgrades/installs are allowed too..You're right that disabling it and using SSH is the way it *should* be done; but in my particular case (an absent-minded and impatient fast typist) command-line is just not the way to go. I'd be more of a menace than hackers, most likely. Get halfway through a command and start thinking about earmuffs for oysters, or whatever, and the next thing you know the site's disappeared up it's own ring.

                I shall have a look at the CSRF thing. Mind you, the worst thing they could do to any of my sites is login as admin and I would know about that within 5 minutes and have a OCFO (one-click fuck off) script against the eventuality; that simultaneously downloads all the logs; changes the username in the database; and redirects the IP across the entire domain to the most annoying YouTube video I can find. I'm a big fan of the 10-hour ones and this is my current favourite. I made the script in reaction to what I thought was an intrusion; but turned out to be another webmonkey's secret Indian subcontractor that he didn't want anyone to know about. Did it live, at the time and wrote the script afterwards to speed things up if it happens again.

        3. danima1

          Re: If you care about security

          Ahem, I don't mean to be funny about it, but isn't there an irony in praising Wordpress's "regular and frequent" security updates?

    2. Anonymous Coward
      Anonymous Coward

      Re: If you care about security

      For those that care about security, like Mossack should've, the first step to make WordPress secure would be to use "rm -rf /" and then use a much simpler and easier to secure method of publishing their website.

      No, you can WP run safe with a bit of effort. However, the ABSOLUTE first thing you do is to separate presentation from secrets. Especially if you have stuff to protect you NEVER put that on a public facing website (or leave it there if you collect data from people). If you need to interact with the big bad world, you first of all design so it requires really the most minimal amount of data, and that's what you isolate, and then make available via a DMZ with some proper (non-identical) firewalls handling a very tight policy for data in and out.

      You shouldn't even *think* about app level security until you have your network level security sorted out. There's a reason why we work with a stack.

      As a matter of fact, client details of that level don't even belong on a main network, but in an extra protected subnet with the mother of all logging and APT detection active.

      The real scandal is that with such clients you have enough money to do it right - it appears someone was getting too used to a cushy job.

    3. www.cellweb.co.uk

      Re: If you care about security

      Nothing wrong with WordPress - it is a CMS developed used, supported, updated and tested by millions of people worldwide. If anyone is going to find a blackhole it will be these people - rather than a bunch of web devs working for one company (MF).

      They failed to keep their site updated, they failed to have a proper network config, they failed to patch Drupal as well and they had a plugin that meant easy access to ALL their email systems.

      A schoolboy could have protected that setup very easily

  2. Anonymous Coward
    Anonymous Coward

    It is as I suggested

    Early reports claimed it was a whistle blower, but I said that the narrative would be changed to claiming it as a hacker - to aid those who want to shut down the dissemination of these documents or the information therein by claiming they are the product of illegal actions. And also because the law firm wants to cover their ass, because it is far far easier to explain to angry clients "we were hacked" than "we have a rogue insider who we haven't found yet".

    1. Len

      Re: It is as I suggested

      There are two things that I still find a bit suspicious.

      1) That it’s said to have come from a mail server. That all files have been stolen were neatly structured in folders containing sorted emails, scans, contacts, databases etc. suggest to me the data was stolen from a file server, not a mail server.

      2) How they got such an enormous amount of data out of the server without anyone noticing. With TBs of data you can’t just wait for the quiet hours of the night to fill the pipe. We’re talking months of continuous downloading.

      Both points make an inside job (nicking a backup tape?) much more plausible.

      1. Anonymous Coward
        Anonymous Coward

        Re: It is as I suggested

        "2) How they got such an enormous amount of data out of the server without anyone noticing. With TBs of data you can’t just wait for the quiet hours of the night to fill the pipe. We’re talking months of continuous downloading."

        God, not this lame garbage again. You find it hard to believe their techies could fail to spot a few mb/sec of network traffic when those same techies left a super uber mega guaranteed-pwnage vulnerability unpatched for A YEAR?

        And what the heck is this meme with it being "an enormous amount of data"? This is the 21st century - you can download it all in a few days on even the crappiest home internet connection and store the whole thing on a single $100 hard drive.

        1. Anonymous Coward
          Anonymous Coward

          Re: It is as I suggested

          "God, not this lame garbage again. You find it hard to believe their techies could fail to spot a few mb/sec of network traffic when those same techies left a super uber mega guaranteed-pwnage vulnerability unpatched for A YEAR?" - this *is* Panama we are talking about, where employees routinely will use corporate resources to host their own private music/movie servers. *IF* the data was moved over the network, they likely just ignored it; ratting out a fellow admin isn't a good move if you also have some questionable uses of the resources.

          "And what the heck is this meme with it being "an enormous amount of data"? This is the 21st century - you can download it all in a few days on even the crappiest home internet connection and store the whole thing on a single $100 hard drive." - Once again, this is Panama. The people with access to decent transfer speeds are very, very limited. The ISP's suck, their service sucks, and their services are expensive, so most people DO NOT have broadband. Plus, people are underpaid and overworked, so a disgruntled employee is very likely.

          The more likely scenario is that someone simply made an auxiliary copy of the data from backup while migrating from older hardware to newer hardware/testing backups, cleaned up the logs, and then walked out the front door with a drive in hand.

          And finally....Panama is corrupt. It's part of the culture (colloquially known as "juega-vivo") and an expected part of daily life. A hack is way more exciting to report on, but a leak is far more probable given the cultural and economic context.

    2. tom dial Silver badge

      Re: It is as I suggested

      I do not think this distinction is valid, unless the legal difference between "whistleblower" and "hacker" is that the first is on the company payroll and the second is not. In fact, what was done probably was illegal irrespective of who did it.

  3. LDS Silver badge
    Joke

    requires additional efforts that result in people putting off updates for months

    DevOps!

  4. CaitlinBestler

    Simpler yet - Just Encryt

    A law firm should not store client files in unencrypted format.

    You should have to retrieve them and then supply a pass-phrase on the receiving computer.

    Security is actually simple, you just have to take it seriously.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simpler yet - Just Encryt

      But if the files were accessed through an application that had been compromised and had access to the data, would encryption help you?

      1. dajames

        Re: Simpler yet - Just Encryt

        But if the files were accessed through an application that had been compromised and had access to the data, would encryption help you?

        No ... but that sort of volume-wide encryption doesn't afford the sort of protection for client confidentiality that ought to be (but hardly ever is) in place in a law firm.

        There should be a document management system that encrypts each document with a different session key. There should then be an access control system that assigns each document to (say) a particular client account, and allows only specific employees to access the documents for each client account. The access control system would manage the encryption keys, so enforcing the security, and would audit every file access, so fingers could be pointed if documents went astray.

        This stuff hasn't been rocket science for years ... it's just expensive so hardly anyone bothers.

        1. a_a

          Re: Simpler yet - Just Encryt

          Care to name any commercially available document management systems that do that?

    2. Elf
      FAIL

      Re: Simpler yet - Just Encryt

      Yeahhhh...about that. I do Systems and Security and deal with the Legal Community fairly frequently. Their idea of security is that damned 25 line disclaimer in their EMail Signature to the effect of "This communication is only for the intended recipient so if you get it instead, be a dear and delete it. K? Thx. Bai!".

      Lawyers...encrypt data? Hell, my patent attourney communicated ON A SECURITY PATENT in the clear. My girlfriend's divorce attourney sent her and her ex's financial data (Name/SSN/Accunt Numbers/etc) in the clear.

      Good thing they make laws to prevent death-by-LART.

      The only industry I kno of that's worse is medical.

      1. Anonymous Coward
        Anonymous Coward

        Re: Simpler yet - Just Encryt

        Sure, because they are lawyers and physician thereby they believe they are endowed by their creator to ask and obtain huge sums for their skills, but everybody else should be paid nuts for theirs. To them, the IT guy is probably below the janitor - good luck now to clean all that mess....

      2. Doctor Syntax Silver badge

        Re: Simpler yet - Just Encryt

        'Their idea of security is that damned 25 line disclaimer in their EMail Signature to the effect of "This communication is only for the intended recipient so if you get it instead, be a dear and delete it. K? Thx. Bai!".'

        Probably true but very short-sighted. They, more than most people, should have their eyes on the consequences of hacking along the lines of "If someone holding my client's data got hacked how much would I be able to sue for?" followed rapidly by "But if I got hacked how much could I be sued for?". It seems likely that they couldn't afford to pay themselves for giving themselves that bit of legal advice.

        1. Anonymous Coward
          Anonymous Coward

          Re: Simpler yet - Just Encryt

          Laywers use email?

          Thought they still used fax machines for secure document transfer (yes they do, honestly they do)....sigh...

    3. Velv
      FAIL

      Re: Simpler yet - Just Encryt

      D'oh!

      Encryption is useless if an authorised and authenticated "user" accesses the data, and this is actually the more common route for data loss.

  5. Anonymous Coward
    Anonymous Coward

    And yet still so many systems I see have patching delayed because the customer doesn't want the outage, or doesn't want to do the PIV testing, or has 'a plan' to upgrade anyway. Good luck with that, bozos. For those in the contract IT business just make sure you have put a plan to the customer and have their rejection of it on file for when things go horribly, horribly wrong. And don't be afraid to escalate to the CIO, having leadership complain that they knew nothing about it because their underlings didn't escalate, will magically somehow make it all your fault too.

  6. Mark 85 Silver badge

    Various sources are reporting that the Icelandic PM hasn't resigned but stepped aside for some time off. Other sources are reporting Cameron will resign or at the other extreme there's a grass roots movement calling for him to resign. China has locked things down tighter and reports indicate that certain political types are "unavailable". No word on the Russian/Ukraine types... all's mum there also.

    All things considered, there's ton of crap flying from the rotary air movement device and some people are getting covered and there's supposedly lots more to be released from the journalists looking at it.

    Meanwhile, here in the States, all seems to be calm. I daresay that there's enough loopholes around that anyone who might have used MF didn't need to. Then again MF is in Panama and certain agencies have been known to track what flows through that country in terms of money.

    If a release comes from banks in the Caymans, all bets are off on how many US types would get caught up the mess that would make.

    1. Pseu Donyme

      re: US connections, relative lack of

      http://www.newyorker.com/news/john-cassidy/panama-papers-why-arent-there-more-american-names

      1. Mark 85 Silver badge

        Re: re: US connections, relative lack of

        Excellent link. Thanks for posting it. It does explain a lot.

  7. TDog
    Happy

    I've been doing this forever - ever since Denali was the description of what became active service pages which became .asp; I remember not getting a job with a building society which became a bank and then bankrupt (and paid for subsequently bust) because 'Who would Change the data in a Browser'

    Well about 1.3% of my taxes paid for incompetent plonkers who made that decision... So maybe he was smarter than I realised and didn't want any audit of his corruption. It still rankles from 30 year ago. Mr.(sarcasm intended) O'Brien you should know about whom I am talking. PS been reading the dox. And the name is a nom de wanker.

    So worry - I am checking and looking and you may be both startled, surprised and (perhaps) terrified by the records I kept.

    Honestly, (like sort of), your best friend (etc...etc... [spot the target]...)

  8. waldo kitty
    Facepalm

    stupid is as stupid does...

    TSSIA...

  9. allthecoolshortnamesweretaken

    Well, if I were a client of Mossack Fonseca I'd be demanding a refund right now.

    Security, yes we've heard of it.

    If I ever should get into serious legal trouble I guess I'd try to explain a thing or several to my lawyer about security, talk to their IT guy(s) (assuming they have one) and insist on a method of communication that is safe-ish - let's face it, that's the best I could realistically hope for. Also, poking around the other guy's lawyer's IT might be an option to consider.

    1. Alan Brown Silver badge

      "Well, if I were a client of Mossack Fonseca I'd be demanding a refund right now."

      Many of the clients are rich enough and sociopathic enough that Mossack Fonseca's partners might decide to go into witness protection programs, en masse.

  10. Anonymous Coward
    Anonymous Coward

    All that (tax free) income

    And no money for proper security.

    1. Anonymous Coward
      Anonymous Coward

      Re: All that (tax free) income

      "Tax free" - but what's the law firm's cut? What's the cost (and risk) of "laundering" that money so you can use it?

      Up to a point, I'd rather pay higher taxes than incompetent lawyers... and beyond that point it's probably a no-win situation. Being rich sounds like a royal pain in the ass.

  11. Destroy All Monsters Silver badge
    Big Brother

    Nice leak, shame about the murkiness

    ‘Who’s funding this?’ CIA & MI5 whistleblowers question credibility of Panama Papers coverage

    Rumors that Soros is behind this one, too? Looks like we are being served a targeted rile-up burger, again.

    US government, Soros funded Panama Papers to attack Putin – WikiLeaks

  12. Velv
    Headmaster

    Drupal 7.23 had major issues and Drupal 7.32 was the fix.

    OK, it's utter pedantry, but I do wish software authors would look carefully at the version numbers they release, and if the numbers are close (e.g. easily transposed like the above) then increment to another number to avoid potential confusion. This is not the only example I've seen recently where similar version numbers caused much head scratching.

  13. Anonymous Coward
    Anonymous Coward

    This is one of those times

    when a security breach is beneficial for the public at large.

  14. Destroy All Monsters Silver badge
    Gimp

    Another Doubting Thomas says

    Uncle Shmuel Points Fingers (Aka “Panama Papers”)

    To use a KGB expression the CIA’s “ears are clearly sticking out” in this strategic PSYOP who point is very obvious: to jump on the Wikileaks bandwagon and create a little “imperial wikileaks” in the hope to be taken as seriously as the real thing.

    ...

    Some might wonder if those documents are true and, if yes, how the CIA, or some OGA, could have come across these very “sensitive” files? Simple.

    For many years already the US government has been using its influence to get all the main financial centers of the world under its control. Some countries, such as Switzerland, have simply bullied in giving up their traditionally secretive banking practices, while banks were infiltrated by US agents and spies. The grand plan is simple: to take control of all the money flow worldwide. You want to bank “safe”? You better do it in the USA or else…

    Now look at the James Henry quote reported by the NYT above: “we have an onshore haven industry in the U.S. that is as secretive as anywhere”. Get that? What this means is this: “If you want to hide money, that’s fine with us, but only as long as you hide it with us“. It’s that simple. And, of course, if you want your money safe, you better not disobey Uncle Shmuel because he can take it anytime he wants. Elegant, simple, effective. Beautiful, really.

    The truth is that while the US intelligence community is rather incompetent, especially in HUMINT, the US control of the financial movements worldwide is nothing short of superb, especially in region of the world already controlled by the USA (such as Panama) or with banks with a long history of corruption and shady activities (Deutsche Bank, HSBC).

  15. Anonymous Coward
    Anonymous Coward

    Seems to me like the perfect storm.

    Vulnerable Wordpress Plugin

    Bad Network design

    Lacking proper firewall protection

    Drupal vulnerability not patched

    This was like a virgin honeypot surrounded by a hungry bee - a lesson to all

    peter ogilvie

    cellweb.co.uk

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021