I was idly wondering ...
given the sanitisation the release M-F papers show, if there's anyone targeting the ICJ (or whoever) looking for the unredacted versions ?
Grey hat security researchers have discovered new flaws in the systems of Panama leak firm Mossack Fonseca. A self-styled “underground researcher” claims to have found a SQL injection flaw on one of the corporate systems of the Panamanian lawyers. “They updated the new payment CMS, but forgot to lock the directory /onion/,” …
>So does that mean their Drupal installation is off the hook then?
Nope - but they were also running a legion of vulnerable WP plugins until last week - as they were also using WP SMTP their mail server creds were easily available.
WordFence pointed @ revolution slider as the entry point:
This is interesting because I assumed that law firms handling extremely sensitive offshore tax haven creations for the richest people in the world would be super-paranoid about security. But, it's not surprising -- every industry I've encountered that I've assumed is at least security-aware actually isn't.
I earn a little cash on the side by tutoring a friend's kid. He's 2nd university in the UK. I'm a programmer not a teacher so i basically try and get him to understand the code assignments he gets, without doing them for him.
So far c#, Java and PHP. Every single one showing crazy insecure coding and poor logic (in terms of defensive code that fails gracefully).
Its got to the point where i have said to him "i can't tell you the right answer because it is so far from the basic code you were supplied that they will know an industry person answered it for you".
... TL:DR ... the next gen are rubbish.
"... TL:DR ... the next gen are rubbish."
I suspect you'll find the previous generations have their fair share of rubbish too. MS-DOS, need I say more ? The thing is for every MS-DOS you'll find something decent, and of course software does sometimes improve.
That said I'm pretty sure most 80s vintage software would rate as rubbish from a security standpoint. Times have changed, and the bar has been raised quite a lot. ;)
MS-DOS, need I say more ?
MS-DOS is, at its core, really not that bad. It has all the rudiments of a decent multi-tasking OS.
Sadly, it appears to have been "finished off" in a bit of a hurry, and there are some dreadful hacks that were never fixed. And that's where it got its reputation...
"MS-DOS is, at its core, really not that bad. It has all the rudiments of a decent multi-tasking OS."
I'll have to take your word on that, I couldn't see the rudiments because I couldn't see beyond all the missing stuff that could be found elsewhere in (older) OSes running on comparable hardware (such as OS-9, BSD / System III / Xenix, RSX-11M). I remember being very excited to have my first crack at MS-DOS on a proper business machine, having got past the basics I was left feeling somewhat underwhelmed, and I remained convinced that I must have missed something or needed to buy a bigger manual.
The feeling was akin to one you might have if you were hoping for a bike for Xmas, but got a pair of socks instead - which I hasten to add would be welcome if they were good quality woollen ones, to help the miles glide by on a long walk. ;)
The feeling was akin to one you might have if you were hoping for a bike for Xmas, but got a pair of socks instead - which I hasten to add would be welcome if they were good quality woollen ones
I know exactly what you mean.
But the trouble with MS-DOS is that one sock is a good quality, nicely-made garment, but the other has no toe bit, and some of it is made of some nasty acrylic thread...
Like I said - the original, reasonable design is quite clear if you look at the internals. But the implementation of that design was never finished, and a bunch of stuff was lashed up over the top of the unfinished project to produce what we all know and - errr - don't love.
The real problem the school/uni mindset never abandons most of them. While when studying you may be more concentrated on the things you're learning and the outcome (especially votes), and you throw away your work once done, that's not how it works when you become a professional, and your work may live and haunt you (and unluckily, others...) for years to come.
I still see developers obsessed to make something work somehow - if and only if nothing bad happens, if it does, pray... but after all never goes wrong, in software, right? "It works on my machine with the same two bytes input over and over, thereby it will always work!"
And every time you point out that's not the way and explain why, many of them get upset "hey, I have no years to code it, after all it works!" - until it fails in some "spectacular" way... usually then I'm called to clean the mess, and then they complain because I earn much more than them...
It is true teaching should shift focus from just getting the job done to actually require to have it done the right way. But just checking some outputs is far more easier than actually looking at the whole code and identifying bad areas - if you're capable of that.
An evergreen argument, in the evergreen "A Man for All Seasons":
William Roper: So, now you give the Devil the benefit of law!
Sir Thomas More: Yes! What would you do? Cut a great road through the law to get after the Devil?
William Roper: Yes, I'd cut down every law in England to do that!
Sir Thomas More: Oh? And when the last law was down, and the Devil turned 'round on you, where would you hide, Roper, the laws all being flat? This country is planted thick with laws, from coast to coast, Man's laws, not God's! And if you cut them down, and you're just the man to do it, do you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake!
Fair point. Two terabytes is about three weeks of maxing out a 10 Mbit/s connection. Doing it on the sly would require longer, or a fatter pipe, or MF's IT people being asleep at the wheel. What you wrote, though, was 2Tb and two terabits is something you could suck out in one night. Also, I imagine that these guys can afford a pipe the size of the nearby canal.
The media has said that over the period of at least 6 months *more* data was handed to them. So, in theory, that is more than enough time to
1) Choose a low bandwidth upload.
2) Choose a time/place/connection that is not being checked (like the public wifi or the bosses "I need my own connection to watch Youtube at lunch" ipad).
Though I assume only if someone else was already a constant bandwidth use, would this go unnoticed normally. As a constant upload would show as an additional load not being applied by the backup systems, the Skype calls etc. So I assume those in the IT either did not look to see if anything was uploading, or they could not see?
If it's mostly text, it would of course compress down pretty well. Depending on what sort of access I had to the target's servers, I might compress it locally and then transmit the compressed files. But when bragging about how much data I liberated, I would of course quote the uncompressed figure :)
I'm recycling keystrokes today.
Normal service will be resumed as soon as I work out what normal is.
If the whistleblower is an insider they would want to cover their tracks. Getting the investigators to look into a dozen red herrings will keep them away from the real source of the leak. Putting bugs into applications may also give some room for plausible deniability, assuming whoever leaked was an insider. That seems likely given the volume of data passing outside unnoticed.
I think it is the law firm itself and the government officials concerned who have more of a reason to make people believe it was hackers rather than an inside job. The fact that a hole was found in the law firm's systems in no way makes the likelihood of a hack any greater, but that's what the powers that be are trying to imply.
If you had security specialists looking at anyone's systems you'd find something; no one has perfect security. If that one hole is all they've found, I'd wager they've got much better security than most organizations!
While there's a lot of focus on Mossack Fonseca right now, they are said to be the fourth biggest firm specialising in "offshore banking".
I'm guessing that the sysadmins at the top three have been under a lot of pressure this last few weeks, whether it's from outsiders trying to hack in, to their employers wanting them to guarantee that their systems are secure and that nobody is leaking anything (good luck guaranteeing that).
Hope for their sakes they get paid well.
Why does this keep happening? SQL injection is possibly the easiest security flaw to avoid.
Don't get me wrong, this Panama leak has been nothing short of gut-bustingly hilarious. But how are we as a profession meant to be taken seriously when programmers keep making the same stupid elementary mistake over and over and over again?
Panama is only one head of the tax haven Hydra "allowed firms such as Mossack Fonseca to flout its own weak official safeguards against financial crime. The client leaks point to links with drugs lords, Mafiosi, terrorists, arms companies and rogue states. The fact that Mossack Fonseca can state that it has never been accused or charged in connection with criminal wrongdoing shows that Panama’s financial regulators, police, judiciary and political system have been part of the system — corrupted or influenced by the lucrative flows from the dirty .....