The Panama Papers leak reveals the shadowy workings of the Panamanian law firm, Mossack Fonseca, in establishing offshore corporations for businesses, politicians, heads of state, athletes and celebrities for the sake of providing tax shelters and channels for arms and human trafficking. Illegal activities aside, what is particularly shocking is the lack of cybersecurity that may have contributed to over 2.6 terabytes of emails and documents (totalling over 11.5 million in all) being nabbed by hackers and landing at the feet of the Consortium of Investigative Journalists (ICIJ), who broke the story a year after obtaining them.
Security experts have analyzed the methods by which the attackers were able to obtain the data, and what’s come to light is an astonishing lack of basic web security practices on the part of Mossack Fonseca and their web administrators. Data breaches occur every day to government, business, and personal websites with varying degrees of damage. Although the Panama Papers sheds light on secretive and largely illegal activities, security vulnerabilities like these can affect legitimate companies who want to protect their customer data.
Image courtesy of Panama Papers, Süddeutsche Zeitung
To understand the level of the security shortfalls, it helps to understand the software that Mossack Fonseca uses to power their multiple web properties. The firm uses two of the more popular content management systems (CMS) around, WordPress and Drupal, to power their public and client-facing websites, respectively. The client portal was used to share sensitive documents between the law firm and its clients. Both are written in PHP and are open source, meaning that their code base is free, accessible, and developed and maintained by community developers. While these systems can be secure environments for storing important data, the manner in which these systems were maintained, or not maintained, by Mossack Fonseca has been attributed as the cause for how attackers were able to steal the damaging documents used in the reports.
WordPress security company Wordfence analyzed the law firm’s web hosting environment following the leaks to determine how attackers may have obtained all of this data. Wordfence determined that the WordPress site was over three months out of date while their Drupal site was almost two years out of date. Furthermore, the company was using outdated third party plugins for WordPress which may have opened the doors for hackers to access other systems and passwords.
Website owners can learn from the mistakes made by Mossack Fonseca. Here are some of the main takeaways from the Panama Papers:
Protecting the Core
Both WordPress and Drupal have a large community of web developers contributing code to various aspects of the platform, also known as “the core”. Because they are open source, the code is able to be viewed by a larger user base, which can lend a hand at exposing potential security risks in the code base. When this happens, those vulnerabilities are typically brought to the core development teams who then fix the issue, release an update, and publish bulletins to notify web developers and users of the risk and the fix.
Mossack Fonseca’s client portal on Drupal was vulnerable to hacking due to running a version of Drupal that was over two years old. In that time, Drupal security teams had brought to light major vulnerabilities and urged website administrators to patch the software. Because these security bulletins were ignored by Mossack Fonseca, it was entirely possible for hackers to access sensitive files and data from their client portal.
In WordPress, security updates are typically announced at WordPress.org, while Drupal has their own security team and security bulletins are announced via news lists. WordPress by default will automatically update itself when security updates are released, which makes it painless to keep core WordPress up-to-date. Drupal updates need to be manually applied, which means that it’s vital for website admins to pay attention to update notifications and apply security updates immediately.
Leaving The Door Open With Plugins and Modules
Third party code that extends the functionality of the core CMS platform are known as plugins and modules (for WordPress and Drupal, respectively). Besides using an outdated version of WordPress, Mossack Fonseca was using the Revolution Slider plugin, a plugin that is “one of the most common WordPress vulnerabilities” when not updated. In an update to the original report provided by Wordfence, because Mossack Fonseca’s email server was hosted on the same server as their websites, it is likely that their email was hacked via a vulnerability in Revolution Slider.
Plugins and modules have varying degrees of scrutiny and oversight by security teams based on the platform, the popularity and the method by which they are distributed. In general, Drupal has wider and more stringent security review of community-developed modules for its platform than WordPress, however, plugins that are distributed via the WordPress Plugins directory must pass a security review and are typically maintained and supported. Revolution Slider, which has had known vulnerabilities going back to 2014, is not available at WordPress and is instead sold and downloaded directly from the company website and also from the popular software storefront Code Canyon
When you obtain code directly from plugin developers (or via sites like Code Canyon) you are on your own to determine whether the plugin is maintained and to find out if there are security updates. In these cases you will rely on the individual developer or development team to assure that the plugin is maintained and patched as new and potential vulnerabilities are exposed, so look for plugins that are frequently maintained and actively supported. If they are not, avoid using them lest risk your site and data being exposed to attackers.
Separation of Concerns
The reports reveal other shoddy practices that likely led to stealing of of the 11.5M+ documents that would be known as the Panama Papers. In web security, the practice of “separation of concerns” means that you mitigate the risk to any one system by decentralizing where your data lives and how it is accessed. Mossack Fonseca hosted their email server on the same server as on their web server, and had passwords for their email stored visibly in the WordPress database. With a compromised WordPress installation, it would have been easy to obtain email passwords and retrieve email. If emails had been on a separate server, it would have made it harder for hackers to obtain the emails even if the website was hacked.
Ask The Right Questions
The largest data breach in Internet history was likely caused by a lack of security best practices. Companies should understand how their website is hosted and information stored. Demand to understand from your developers or web hosting team how data is secured and risks to hacks and attacks are mitigated. It could save your business, as well as your client’s business.