Panama Papers Hack… Are CMS Bugs to Blame?
Hackers breached the systems of Panama-based law firm Mossack Fonseca and leaked an extraordinary amount of documents that has shed a light on the tax-avoiding efforts by the world's elite leaders, which was likely the result of unpatched content management systems. The Panama Papers breach is the largest data leak in history, with 2.6 terabytes of data, 11.5 million documents, and more than 214,000 shell companies exposed.
According to Reuters, Mr. Fonseca said the "only crime" that has been committed was the hack of his firm's servers.
The first leaks were exposed through a vulnerability in Drupal, known as Drupalgeddon. Forbes discovered that the company’s website ran Drupal version 7.23 which has at least 25 known vulnerabilities. As every Drupal system admin is aware, this version came before the security patch was installed in version 7.32 which was extremely critical, as a security warning was issued back in October 2014, explaining to users that anyone running a version below 7.32 should upgrade or within seven hours of its release they should assume they’d been hacked. It seems like Mossack Fonseca didn’t consider a fresh install, so its "secure portal" has been wide open to exploitation for a long time.
“That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers,” Forbes wrote.
The Panamanian law firm has protected the assets of the rich and powerful individuals by setting up shell companies through employing an alarmingly sloppy web security and communications policy.
The Reactions from Industry Professionals
Professor Alan Woodward, a computer security expert from Surrey University states: “Mossack Fonseca's front end seemed horribly out of date. I can't understand this. Take something like Outlook Web Access – if you keep your Exchange Server up to date this just comes along naturally. They seem to have been caught in a time warp. If I were a client of theirs I'd be very concerned that they were communicating using such outdated technology."
Chuck Lundberg, Chair of the Professional Liability Committee of the International Association of Defense Counsel (IADC) explains: “Cyber Liability has been a cutting-edge exposure issue for lawyers and law firms for a couple years now. Groups like the IADC and the American Bar Association have repeatedly featured this issue in their national conferences recently.
The Panama Papers story focuses the cyber issue on a law firm in a way few prior stories have done. A very recent article in the Times of London indicated that the law firm involved -- Mossack Fonseca -- had significant computer security failings that allowed hackers to infiltrate its systems and steal millions of documents, quoting security experts who said the firm used outdated software containing security holes and failed to encrypt its emails. One expert noted that the firm’s Outlook email system apparently hadn't been updated since 2009.”
James Bindseil - Presilent and CEO, Globalscape believes: “Security needs to be asset-driven and information-centric because the hackers’ goal is not to infect a user, it is to damage or steal information assets. Regardless of what systems were compromised or vulnerabilities exploited, Mossack Fonseca’s greatest failure was not realizing or detecting the access and wholesale theft of four decades of archives in a record setting 2.6 terabyte cache of files.
As such, security strategy must begin by classifying the most sensitive data assets, and focusing on access, governance and policies around data retention. Even with the most trusted insiders unlimited and unchecked access should not be allowed.”
Rajiv Gupta, CEO and Founder, Skyhigh Networks points out: “On the business side, this data breach should be a wake-up call to all industries: Hackers are not just after social security, health insurance, and credit card numbers. Determined attackers follow ideological, political, and financial motives. Organizations need to assume all sensitive information — from private transactions to personal communication to intellectual property — is a target.
Organizations will need to start factoring cybersecurity capabilities into their vendor evaluation. The theft of client data draws awareness to the exposure organizations face from their business partners, especially those with access to large amounts of confidential information. Several top law firms recently suffered data breaches, a painful lesson that cybersecurity is a fundamental component of confidentiality. To an organization a good CISO is becoming just as valuable as a good attorney or a good doctor to an individual."
Tim Edgar, Academic Director of Law and Policy at Brown University's Executive Master in Cybersecurity Program states: "While it is generally good thing when corrupt practices come to light, the Panama Papers fiasco also illustrates the poor security practices – bordering on chaos – that exist at many law firms around the world. Although lawyers have a professional obligation to safeguard confidentiality, too many fail to acquaint themselves with basic information security practices, such as encryption. No one expects lawyers to be technology experts, but they do need ask the experts for their advice -- and follow it.”
Why are CMS Platforms So Vulnerable?
Although it hasn’t been confirmed whether or not the open source software vulnerabilities were the open window to accessing the data, it is certainly reasonable to point out the significance of the vulnerabilities in both older versions of WordPress and Drupal.
Mossack Fonseca isn't the first company to get tripped up by outdated software. An attacker recently breached the Los Angeles Times website through the Advanced XML Reader plug-in for WordPress, which let sites display XML files, and offered to sell access to the site. The LA Times stated that the issue has been resolved.
According to statistics from Web Technology Surveys, WordPress, Joomla, and Drupal platforms combine to support over 75% of all CMS-powered websites currently online and they are also among the most commonly hacked targets on the Internet, with over 170,000 WordPress sites being hacked last year.
Attacks targeting sites running outdated CMS versions or vulnerable plug-ins are happening much more often. Security experts appoint the plug-in ecosystem, as wrongdoers as they have poorly coded and unmaintained plug-ins. They also recommend that CMS software should consider how third-party software is influencing their platform and provide more sophisticated mechanism to secure their customers' sites.
Another pain point of CMS platforms is that there is currently no process to vet plug-ins or automatically update outdated plug-ins. The good news is that website administrators can easily search and update third-party plug-ins directly from the administrator dashboard with WordPress and Drupal.
There are also times that the problem may arise from the culture of PHP development which is known as being a quick and dirty way to get things done. That’s why, some security has been falling apart and some websites are paying the price of delivering half-assed work.
WordFence claimed that the Panamanian law firm's website, run on WordPress, is currently running a version of Revolution Slider which is vulnerable for attacks. For this reason, its team prepared a video below to demonstrate how easy it is to exploit the Revolution Slider vulnerability on a website running the newest version of WordPress and the vulnerable plugin.
Who's to Blame?
If these open source software vulnerabilities are the culprit for this massive leak, then it could be averted. No doubt that uncovering dirty money transactions and corruption public figures/world leaders is a great outcome. However, it could have been well-meaning organizations that aim to secure people’s health records, financial data, and other sensitive personal information. Once an attacker has compromised the client login permissions system powered by Drupal or other popular CMS software's, the hacker could access any client corporate information.
This Panama Papers fiasco should not be an indicator of how open source software is unreliable. Although, it definitely puts a spotlight on how low a priority some companies place on their tech departments and web security, as it is not smart to neglect to update software.
The key takeaway for CMS administrators is that they need to explore ways to keep the entire platform secure by updating the core application, plug-ins, and themes whenever there is an update available, instead of focusing on the core codebase alone. As soon as the changelog file says the new version is in need of a security update, they should make updating a high-priority task.
In the light of the information above, we would love to hear what you think the main reason is behind this massive leak. Is the culprit CMS software or the user’s lack of proper updating? Share your thoughts in the comment section below.