Outdated and Vulnerable WordPress, Drupal Versions Contributed To Panama Papers Breach (wptavern.com) 155
An anonymous reader quotes a report from WordPress Tavern: Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications. The firm ran its unencrypted emails through an outdated (2009) version of Microsoft's Outlook Web Access. Outdated open source software running the frontend of the firm's websites is also now suspected to have provided a vector for the compromise. Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak. [WordPress Tavern Editor Sarah Gooding] found that the firm's WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn't been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server.
Medal winner? (Score:4, Insightful)
We should give that person a medal for handing those dox to the press...
Re: (Score:2)
Re: (Score:3)
Re: (Score:1)
Re:Medal winner? (Score:4, Insightful)
The answer is probably that FATCA probably works.
What I find really telling is Obama's reaction. Never mind how little evidence there was that American's were using off shore accounts to evade taxation, he just knows, they are doing it! We need more regulations! He says all this after his own secretary of state (Hillary Clinton) recently negotiated a trade pact with Panama which will make it easier to do exactly that sort of cheating. An agreement which he then signed into law.
The take away, anything is an excuse for more regulation on the left. That regulation will of course be careful engineered to fall on us ordinary middle class folks and an handful of wealthy industrialists they don't like while not touching their elite friends in Hollywood, Politics, Law, and Academia. Like always some folks will be a little more equal.
At least when the GOP, "just cuts tax rates" I get to enjoy some of the benefit. Sure maybe not to the tune the industrial owner class enjoys but I get something. The fact that the benefit is so unequal has as much to do with the existing structure again enacted by progressives and liberals too.
Lets continue to starve the beast and if we can get it small enough to fit into the tube lets drown it!
Re: (Score:2)
Re: (Score:2)
Or you could wait for the US details to be released, and then make a judgement. Not as much fun, I know, but at least then you won't look like some deranged muppet who values making points more than making points correctly.
Re: (Score:2)
Funny, all the articles I read at the time were already stating there were few Americans on the list. Its a couple TB of data, yea that takes a while to search, or at least to index initially.
Yet all those other names had already popped out. Once those indexes are built having the computers grep a list of "who is who in politics and business" does not take long. Did you really think the big news outlets decided "hey lets search for all the non-US Citizens first?"
Dumb.
But I have waited now, and here we ar
Re: (Score:3)
Maybe you do get reduced tax payments, but you also suffer from reduced government spending. You suffer from regulations that don't get enforced, allowing things like companies to destroy the environment. You suffer from Wall Street ignoring regulations that are not enforced. You suffer in many ways, which likely outweigh the small benefit you g
Re: (Score:3)
One of the beasts that the Republicans starved was the IRS fraud investigators.
The IRS discovered wholesale tax fraud by organizations claiming to be 401(c) organizations illegally using their tax-deductible contributions for political campaigns.
Many of these organizations had "Tea Party" and "Patriot" in the name, so the IRS used those key words to find applications to investigate http://www.motherjones.com/pol... [motherjones.com] It's as if you searched for organizations with "Jihad" in the name to find terrorists.
The Tea
Law Firms are Cheap (Score:5, Insightful)
Every law firm I have ever had tangential contact in an IT role has always been stupid cheap cheap cheap and self-righteous and arrogant about it. I don't do business with law firms just because of the headaches they cause friends and acquaintances about not paying, wanting the moon for a buck, etc.
A breach like this is not an unexpected result.
Re: Law Firms are Cheap (Score:3, Insightful)
Re: (Score:1)
"pay scale is broken for IT" That's why the government relies on expensive 3rd party firms for the development and support. Highly paid contractors staff the vast majority of government related systems. Working on the security and military related systems pays really well.
And all of the really big hacks we hear about today can be placed squarely on the shoulders of the IT system administrators. Atrocious firewall configurations, bad network appliances configurations, and failure to apply security patches as
Re: (Score:3)
I doubt though that it was a hack, it suspect it might as well be an insider. I mean, it would be so much easier to fetch those 3TB as a employee or contractor than through the website (which as far as we know might not even be connected to the data trove).
Re:Law Firms are Cheap (Score:5, Insightful)
Re: (Score:2)
"they had a single, 7 year old server running Linux with Samba emulating an NT domain (for a totally Windows environment) not because they believe in Linux but because they wouldn't spring for a Windows Server license."
Failing to see the fail here. Of course, if you mean 7-year old unpatched or orphaned software then you have a point. but samba on linux serving files to MS - it does that rather well.
Re: (Score:2)
The word was "server" - i.e. hardware. Without redundancy or top-class backups, seven year-old hardware is a big enough risk, even if it was running modern, fully-patched, fully-hardened/paranoid software.
Re: (Score:1)
You would be shocked to see something like that, but with all the drives that would provide redundancy failed.
They didn't even attempt to erase the data when it was trashed.
Re: (Score:2)
Mossack Fonseca, the Panamanian law firm: "They hacked our what???? All that data is leaked? From corrupt world leaders and billionaires? Oh no no no no no...oh oh. OH FUCK here comes Wilfred Brimley!"
Wilford Brimley: "Have a seat there, son."
Re: (Score:2)
I wonder why
Re: (Score:2)
My experience too with law firms and accountants. I have a feeling they hate paying by the hour.
But they sure don't mind charging by the hour (in 1/6 hr increments no less)
Re: (Score:2)
Re: (Score:2)
Law firms are all about US vs THEM.
Our client vs the other client. The partners vs the overworked minions that hope to be partners. The partners vs the Contractors. It is in their soul to think like that. And people that work for them end up thinking like that too.
One corollary is the low quality of legal information available on the web vs the huge amount on software engineering on sites like stackexchange.
Re: (Score:2)
Not just law firms, but doctors and accountants as well. Basically it's as if the degree on the wall means they're more intelligent than the rest of the world, and unless you have a comparable degree, you're an
Re: (Score:2)
Re: (Score:2)
Having just started working for one of the biggest law firms in the world I have to say that they're not all cheap, we spend about the same per employee as my previous employer (~$14,000/year) which is average for all mid to large sized companies from the industry numbers I've seen.
Authorities have not yet identified the hac.... (Score:2, Redundant)
Look at the lack of US based names, so far there has been nothing but known criminals, on the other hand Russia, Pakistan, Iceland, UK have huge names outted.
Re: (Score:2)
"Authorities have not yet identified the hacker behind the Panama Papers breach", well it was the CIA/NSA. Look at the lack of US based names, so far there has been nothing but known criminals, on the other hand Russia, Pakistan, Iceland, UK have huge names outted.
Reports I've seen said this is because basically this stuff is legal, or at least trivial, for US based people. Its a rigged system. No need to go offshore to have someone else do your dirty work.
Re: (Score:3)
Re: (Score:1)
Outed as what though? "Look! Look! Microsoft has a massive shell corporation in Ireland!" No shirt, shitlock! The US government doesn't give a fuck about it, it's not secret, the only time it's illegal is when it's a personal bank account being used to hide income, and it's doubtful anyone needed some lawyer in Panama to open a bank account.
Re: (Score:1)
Re:Authorities have not yet identified the hac.... (Score:4, Informative)
But why would an American go to Panama if they can just go to Delaware?
The people that use services in Panama do that because their local jurisdiction is on the ball w.r.t. tax evasion...
Re: (Score:1)
Re: (Score:2)
But why would an American go to Panama if they can just go to Delaware?
The people that use services in Panama do that because their local jurisdiction is on the ball w.r.t. tax evasion...
Because Delaware information is visible to the IRS and Panama information is not.
On the flip side, Delaware information is probably not visible in Panama so you'd probably find Panamanian politicians with accounts there.
Re: (Score:2)
Re: (Score:2)
The US data will be released next week, apparently.
Re: (Score:1)
Re: (Score:1)
so why then does this law firm have offices all around the US if they don't tend to deal with US people?
Do you consider US corporations to be US people, my friend? These offices may only have shell companies as clients as opposed to directly working with US citizens.
Interesting how the outed reacted (Score:5, Interesting)
The Russians goes on the offensive in the domestic media, accusing the dox were faked by CIA trying to smear his good name.
The Chinese censors it in their domestic media.
The Ice Lander protests and their Prime Minister resigns.
Re: (Score:2)
Re:Interesting how the outed reacted (Score:4, Interesting)
So what are the big US names involved? Or do they not need these kinds of structures as they have other ways of not paying taxes?
Next week, apparently. The first round was just to get westerners interested in what would have otherwise been a bit of a flash in the pan 'revelation' that rich people don't pay tax. Most people wouldn't have been interested as the details are complex, and they would have figured such schemes are just part of being rich. The Chinese, Russian and Icelandic reactions to the news have succeeded in getting the common westerner's ears pricked up to the thought that this could be a very big scandal indeed.
We will see what happens. I suspect David Cameron might be done next week. He is playing extremely strategic word games about his situation, and I can't see why he would bother being so meticulous unless he is concerned something has a good chance of coming out. I suspect he has a very big skeleton in his closet, and is being very careful to ensure he can only be labelled a hypocrite, not an outright liar.
Re: (Score:3)
From a French journal, the possible reasons for the lack of US based names :
- Mossack Fonseca is not the only player.
- US taxation is lower than the average in OECD countries
- FACTA
- The US have their own tax heavens
Separation of powers (Score:2)
I would hope that the web server is on a machine with its own internet connection that doesn't share ANYTHING with the internal corporate network besides perhaps a UPS. The less a website is linked to the better.
I'm no web expert, but I have had this conversation over and over again with small to mid-sized business owners. First, assume your web server is going to get herpes. Make your next decision accordingly. Big companies with big budgets have more options.
Re: (Score:2)
LOL! (Score:1)
Should have hired me instead, suckers!
I'm not surprised... (Score:5, Interesting)
Re: (Score:1)
No no no, you're supposed to make the whole thing world-writable so it can upgrade itself automatically!
Re: (Score:2)
I ran into this problem too. I wound up running InfiniteWP [infinitewp.com]. It's free. (Some of the additional features aren't free, but you don't need those.) You just install the InfiniteWP plugin on your WordPress sites and connect them up with the main InfiniteWP install. Then, you use InfiniteWP to install plugin/theme/WordPress updates on all of your servers.
Re:I'm not surprised... (Score:4, Interesting)
Seems pretty simple to me
You still have to log in, respond to any post-update screen messages, and make sure nothing else is broken. Multiple that by a half-dozen WordPress websites, it becomes a lot of work. A static website doesn't require that much housekeeping.
Re: (Score:1)
UNPATCHED, OUTDATED open source software. FTFY.
Re: (Score:2)
[...] people that advocate Open Source as a way to fix it are people that should not be in IT making IT decisions.
From my 20+ years of experience in working in IT, these decisions are often made outside of IT and IT gets stuck with the implementation tasks. Worse, a non-IT owner will be responsible for maintaining the software and applying updates on a regular basis. Doesn't happen. Six months later, IT gets dinged in a security audit and has to take over the server since the non-IT owner went AWOL.
Re: (Score:2)
Re: (Score:1)
send resume, orgs=all -exclude current'
What versions are vulnerable? (Score:4, Insightful)
How do you know if your WordPress or Drupal site is vulnerable? If the version number is greater than zero of course!
Seriously. Unless all you need is a Geocities-type page with some static text and animated GIFs on the cheap, stay away from WordPress and Drupal!
Re: (Score:2)
Seriously. Unless all you need is a Geocities-type page with some static text and animated GIFs on the cheap, stay away from WordPress and Drupal!
Not true! They can be used to generate static sites quite safely. :)
Re:What versions are vulnerable? (Score:5, Insightful)
What's the alternative, roll-your-own CMS's? I've done those, and you are always re-inventing features that come standard or are pluggins in established CMS's as management/customers keep asking for new features.
I've found security mistakes in my own code because of typical human error that inherently pops up when dealing with complexity. There may indeed be some security-thru-obscurity from DIY, but it just seems another form of gambling.
I believe the best way to go is to outsource the basic CMS hosting and patching to an experienced vendor who is contractually obligated to patch timely, and verify that they do it via random spot checking.
Because they run lots CMS instances, they should have the scripts and expertise to patch with some degree of economies-of-scale such that the expenses of timely patching shouldn't be too costly for them.
Plus, they are likely to have somebody there Sunday at 3am to patch so that you don't have come in at 3am to patch yourself in order to keep the system up during normal hours.
But, I don't have enough experience with that approach to render a final judgment. If anyone can recommend vendors who fit that bill based on experience, that would be great.
Re: (Score:1)
...or just use something that was designed better in the first place, and ore secure by default... like Plone.
-Matt
Re: (Score:2)
I run plenty of WordPress websites and they aren't too difficult to secure if you put a little effort into it. In this case, the big problem was that they didn't run updates. The site was running 4.1 instead of the latest version (4.4.2). It should have been updated long ago. (4.1.1 was released February 2015 and 4.2 was out in April 2015.) The same goes for plugins (which you should use as sparingly as possible since it not only increases security risks but can add to load time.) You can also install
Re: (Score:1)
Instead of just taking pot shots, can you suggest an alternative?
Drupal is usually not the right solution for a "brochure" site. But, when done right, it can work very well as a portal for a more complex application, which is how it was being used in this case.
Re: (Score:2)
FTP! Cute!
Wow (Score:2)
Re: (Score:3)
Scaring The Others Into Better Security? (Score:3)
This public outing of Mossack Fonseca's pathetic computer security will have the unfortunate consequence of convincing the rest of the firms in that line of work to get more serious about their own. For those who want greater transparency in the world of tax havens this hack of Mossack Fonseca might be a wrench in the works.
Re: (Score:2)
Your comment is so stupid, it is staggering.
Re: (Score:2)
Re: (Score:2)
I am referring to the idea that bad IT security would mean "better transparency".
Re: (Score:2)
It clearly did in this case, not the first time ether.
Re: (Score:2)
No, it did not. It did point out a serious problem, but "transparency" is something else than getting a huge, unstructured and very likely incomplete data-dump to the press.
Re: (Score:2)
There are other forms of 'transparency', but this qualifies. All data is subject to manipulation. This data should not be accepted at face value, but no data should.
Air Gap anyone? (Score:3)
What the hell is sensitive client data doing on an Internet connected machine?
Re: (Score:3)
Air gaps aren't enough. The Iranian centrifuges were air gapped.
Re: (Score:2)
The Iranian centrifuges were air gapped.
Stuxnet was a one way payload. It only had to get on to the controllers. At Mossack Fonseca, the object was to get data back out.
Obligatory Simpsons (Score:2)
Wordpress vulnerabilities (Score:2)
Wordpress vulnerabilities - for once they're a help and not a hindrance.
Bernie Sanders warned us about this (Score:5, Informative)
Bernie Sanders warned us about this back in 2011 or so...
https://www.youtube.com/watch?... [youtube.com]
Sanders made a speech on the Senate floor in October of 2011 that warned that a proposed trade agreement with Panama would open the floodgates of American money flowing into off-shore tax havens, a plea that ultimately fell on deaf ears as the agreement was signed by President Barack Obama later that year.
Re: Bernie Sanders warned us about this (Score:1)
Bernie Sanders in 12,000BC warned us this fire thing would come back to bite us!
Re: (Score:2)
Bernie Sanders in 12,000BC warned us this fire thing would come back to bite us!
And damn if he wasn't right about that too.
Re: (Score:2)
This hacker needs to be punished severely (Score:4, Funny)
I hope they catch them and throw the book at them. Life imprisonment at least.
They have embarrassed more very powerful people than Snowden and Assange combined. This type of activity must be stopped.
Re: (Score:3)
You see, those rich people were hiding the money so terrorists wouldn't find it. But now that the terrorists know where the money is, the terrorists might take it and use it for terrorism. Have I said "terrorists/terrorism" enough times now to get you everyone against these hackers? Terrorism. Terrorism. Terrorism. Terrorists. Terrorism. Terrorism. How about how?
Windows not to blame for Panama Papers breach? (Score:1)
Guess they had no money for IT security (Score:3)
With them optimizing profits, they probably had no money for IT security to spare. Save a million, lose a billion (or rather more in this instance). The fatal combination of greed and stupidity at its finest. Will not be the last instance of something this large happening due to non-understanding of IT security.
When the first successful hack costs you everything, learning from experience is not a good strategy. Consulting and listening to some (admittedly expensive, but worth it) real experts may be a good idea.
Re: (Score:2)
With them optimizing profits, they probably had no money for IT security to spare. Save a million, lose a billion (or rather more in this instance). The fatal combination of greed and stupidity at its finest. Will not be the last instance of something this large happening due to non-understanding of IT security.
When the first successful hack costs you everything, learning from experience is not a good strategy. Consulting and listening to some (admittedly expensive, but worth it) real experts may be a good idea.
It was stupid decision making not just money. Though being cheap had a big part to play.
A law firm web site doesn't change fast enough or often enough to do anything more than a folder full of traditional HTML files, JavaScript, CSS and images.
They could have used something like that and head off 99.99% of the potential problems.
Someone probably heard WP was "easy" and it wasn't even an IT guy at all that set it up. The reality is, WP is about as much work and learning as getting up to speed on HTML and
Re: (Score:2)
WordPress can be easy, but that doesn't mean that you don't need to know anything about websites/security to run a site. Especially if your site is "protecting" information on huge financial transactions. For most people, not updating their WordPress site just means that some joker puts "Powned By Hakors" on it. Annoying but ultimately not a huge impact. The bigger your site, though, the more you can't just say "we'll use X because it's easy and won't think about anything else." This is true regardless
Biggest contributor to Panama breach: (Score:5, Insightful)
Biggest contributor to Panama breach:
People doing illegal things in the first place.
Re: (Score:2)
What we still don't seem to have, is proof of any actual crimes.
Public outrage over morally questionable selfishness is pointless stupidity. Where is the crime? Where is the proof?
Actually, we have the proof. It's in the data dumps.
The actual actions involved are illegal tax shelters. These work for corporations because they are, in fact, legal. They also work for high net worth individuals, but only if they are willing to relocate their residence outside their home country for a period of time.
For the U.S., the magic number is ~191 days a year (indisputably, at least 51% of their time). For other countries, the numbers are different.
In all cases, however, the general rule is tha
Not convinced (Score:4, Interesting)
We're talking about 2.6TB of data here, 11.5 million documents, photos, scans, and emails created over a time span of 1970 til now, received in batches during a year.
I highly doubt some external used an exploit in customer facing portals to download this many individual files.
Re: (Score:2)
Law firms like to put all that stuff in a big database (or two.)
Chances are someone got that, or backup files of it and just set the download to run slowly over a couple of weeks so nobody noticed network slowdown.
You only gotta get it out once.
Re: (Score:1)
Server split? (Score:2)
Why is customer account info on a WCMS? The public-facing stuff should be hosted separate from the private/internal stuff (like customer accounts) such that if your public WCMS is breached, the private stuff should be protected. There should be a fire-wall between the public host and the private customer data hosts/servers. You wouldn't put customer details on a public WCMS normally. Your public site is a sales-ish tool.
For biz-to-biz transactions, typically a CRUD-centric tool would be used, not a WCMS.
Tha
Health consquences of breach (Score:2)
Utter Horseshit! (Score:4, Insightful)
1. Even in the highly unlikely scenario that Wordpress was installed on the same system as Outlook Web Access, it would not provide access to the Exchange email system.
2. There is nothing wrong with "outdated 2009" Outlook Web Access. That would be either Excahange 2007 or more likely Exchange 2010. Both are still fully supported and do not suffer any egregious vulnerabilities that would allow co-installed Wordpress to access the Exchange Server.
3. Encrypted email? Who the fuck does that? No one, that's who. Let's not bother with any pretentious or condescending horseshit. Probably half of the world's email sits on Exchange servers, corporate on-premise or Office365/Outlook.com/Hotmail... None of it is encrypted at rest. Despite the available option and Google's recent TLS push, SMTP is not generally not encrypted. So, email in flight is even more open than at rest. This is the way it is everywhere and is not a major security issue.
4. The Panama Papers consist of 2.6 TERABYTES of data! Have you ever tried to push or pull that much data over the internet? It is a huge undertaking, even with very high speed connections. While technically possible, it is unlikely that that much data was siphoned off remotely, especially form slow-ass Exchange servers.
This entire article is pure fantastical supposition and utter horseshit. 2.6TB of Exchange emails DID NOT come through any Wordpress exploit. This data almost certainly came from an inside source and was walked out on a USB external drive which itself would have taken over 36 hours to copy the data to.
This "story" is utter horseshit. Just like the international outrage over legal financial activities. It's all manufactured nonsense.
Re:Utter Horseshit! (Score:4, Insightful)
Oh please. That Telestra customer pushed 1 TB of the Panama papers over his LTEx4 connection just this last Sunday.
Most hacks are due to outdated CMS packages (Score:1)
So many servers run ancient versions of popular CMS packages and then wonder why their server constantly gets hacked.
Heaven forbid they are running WHMCS on a box with other websites (quickest way to get rooted).
It got so bad for us here, I had to write a script to scan customer servers just to find all of the outdated packages.
It amazes me to read some of the reports, seeing sites running decade old software is not uncommon.
Still is a battle to get people to actually update their sites once they have been
More technical info on Panama Papers (Score:2)
There is more technical details in this article [www.unicornriot.ninja].
They are running a 2013 version of Drupal that is vulnerable to SQL injection (dubbed Drupalgeddon).
They are also running an Oracle HTTP server too. That web server seems to be ignoring the .htaccess setup by Drupal, and returns back the entire code of the .module files, and listings of directories, and such.
More interesting is how ICIJ setup their own collaboration around the documents using open source software, like VeraCrypt (fork of TruCrypt), Backlight (
lots of info on the Mossack issues & code here (Score:2)
This has a lot of detailed information about the problems with Mossack Fonseca client portal: http://www.unicornriot.ninja/?... [www.unicornriot.ninja] including the possibility of using the website vulns to get into Oracle.
Re: (Score:1)
I'm amused.
Re: (Score:2)
Re: (Score:2)
Looks like a release date and not a title to me...
Re: (Score:2)
Naaaa, sounds like the first person above script-kiddy level got in. Boring from a technological point-of-view. Even a reasonably done simplistic penetration-test would probably have shown how bad things are. I guess they had no money for that with them all busy getting rich.