Posted on
Drupal Security
If we had built the Mossack Fonseca website, they wouldn't be in this mess!
Reading about the Panama papers I spotted that the information originates from a compromised mail server. Somebody got admin access to the mail server, which then allowed them to download all emails sent through the company and all emails sitting in user's mail boxes. That's a lot of data - 2.6 terrabytes in total - and a lot of information which really should have been better secured.
So, how did the whistle blower get the data? The company deals with some very important and powerful people, so it must have been hard to access. Was it a disgruntled employee, a journalist going undercover as a sysadmin? No, much simpler than that. It looks like the whistleblower was a hacker who found vulnerabilities in web site content management systems, more specifically, Wordpress and Drupal.
According to tech trade paper "The Register", Mossack Fonseca had two websites running on the same server, or at least at the same IP address, as the mail server which is the source of the data leak. The main website of Mossack Fonseca was built using Wordpress, and there was also a Drupal site for logged-in client access, neither of which was up-to-date with security patches. The Wordpress site was 3 months out of date and may have given access via a vulnerable slider plugin, but the Drupal installation was very old, version 7.23 - we are currently at 7.43 - and contained very serious and widely-known vulnerabilities. 
It's very easy for hackers to scan sites for these kind of vulnerabilities and once found they can gain access to upload files to the web server, execute scripts and then completely take over that computer. In this case, once they had the ability to write files to the server they could effectively download every email in the system - and what's worse is that Mossack Fonseca wouldn't even know it was happening.
It would be easy to draw the conclusion that Drupal and Wordpress are to blame - but in fact, the real culprit is the lack of software updates. With a company like Mossack Fonseca dealing with very sensitive personal information of the very rich, you would really expect their IT systems to be set up with a high degree of security in mind, but in fact it looks very amateurish. Not only have they not done the basic and essential task of updating the CMS software, but they have the company mail server running on the same machine. It wouldn't surprise me if this was due to a top down lack of understanding of IT security, maybe the server was physically on the premises and managed by an in-house IT guy, maybe he was so busy sorting out desktop issues for lawyers that system updates were neglected. Maybe directors didn't think it was worth paying for security patches.

IT Security Solutions

How would Turtlereality prevent this from happening? Firstly, we patch all of our Drupal installations as a matter of course, normally within 48 hours of a patch being released, sometimes quicker if it is flagged as urgent. The Drupal security team do an excellent job of keeping on top of this and keeping Drupal a very secure environment, not just for the core Drupal code, but also for all contributed modules.
Drupal is very secure when it is kept up-to-date, if it is not patched, like any system, you might as well hang out a sign saying "please have all my data" 
Secondly, our servers are set up to keep domains isolated from one another. anybody gaining access to one domain could not read or write to another domain. For a client as sensitive as Mossack Fonseca, we would recommend a dedicated server. We would also recommend to any of our clients with those kind of security and privacy issues to consider specialist email hosting and not something cobbled together on the same box as the web server. Email hosting has come a long way in the last few years and our favourite option currently is Googe Apps for Work, very robust, flexible - and secure.
The one lesson that we can all learn from the Panama Papers is the importance of keeping your CMS software up to date.

Submitted by Enzo (not verified) on Wed, 04/20/2016 - 08:56

"If we had built the Mossack Fonseca website, they wouldn't be in this mess!"
Happy you don't build it !!!

I hadn't thought of it like that! One aspect of this worth noting is that all companies have a weak spot around their tech set up. At some point the non-tecnical owners need to trust the web designers - so they need to hire web designers they can trust.

Submitted by Konrad (not verified) on Thu, 04/21/2016 - 21:11

Hello. You only get web designers - better: programmers - you can trust, when you trust yourself and pay the bills. Most companies still kind of believe the web is for free and a good programmer should work for free as well.

Even so, when they have you, they do not listen, you can tell them a hundred times, "we need to update" (they should contract and pay the effort), but they would not ...

Hi Konrad. Yes, I absolutely agree. We have very often seen this dynamic at work. Business owners and descision makers are very often not technical enough to make decisions about this kind of thing - and then refuse to listen to people who are qualified, partly because it will cost them money. From their side, they don't want to get ripped off by unscrupulous operators, adn there are quite a number of those in the industry!

Submitted by David (not verified) on Fri, 04/22/2016 - 10:27

I wonder what the ramifications are for a company like Mossack Fonseca if it were to use Google Apps for Business for its mail server. The server might be in the US and that jurisdiction might make the companies using Mossack Fonseca open to litigation and investigation that they could otherwise avoid.

Profile picture for user jon pollard

Submitted by jon pollard on Fri, 04/22/2016 - 10:59

In reply to by David (not verified)

I strongly suspect that this is sitting on an old PC in a cupboard in the offices of Mossack Fonsecka - and what could be safer than that? You could even lock the cupboard if you wanted to be really safe.

Submitted by Sadart Abukari (not verified) on Mon, 04/25/2016 - 19:53

In reply to by jon pollard

Your comment reminds me of one of my colleagues who told me "Sadart, if you try hacking into my company's infrastructure, I will just unplug everything'.. I am no hacker but my colleagues think I am a hacker of a sort. I just build software with strong emphasis on security from the application layer.

Add new comment

Request a Free Quotation

Your Name