If we had built the Mossack Fonseca website, they wouldn't be in this mess!
Reading about the Panama papers I spotted that the information originates from a compromised mail server. Somebody got admin access to the mail server, which then allowed them to download all emails sent through the company and all emails sitting in user's mail boxes. That's a lot of data - 2.6 terrabytes in total - and a lot of information which really should have been better secured.
So, how did the whistle blower get the data? The company deals with some very important and powerful people, so it must have been hard to access. Was it a disgruntled employee, a journalist going undercover as a sysadmin? No, much simpler than that. It looks like the whistleblower was a hacker who found vulnerabilities in web site content management systems, more specifically, Wordpress and Drupal.
According to tech trade paper "The Register", Mossack Fonseca had two websites running on the same server, or at least at the same IP address, as the mail server which is the source of the data leak. The main website of Mossack Fonseca was built using Wordpress, and there was also a Drupal site for logged-in client access, neither of which was up-to-date with security patches. The Wordpress site was 3 months out of date and may have given access via a vulnerable slider plugin, but the Drupal installation was very old, version 7.23 - we are currently at 7.43 - and contained very serious and widely-known vulnerabilities.
It's very easy for hackers to scan sites for these kind of vulnerabilities and once found they can gain access to upload files to the web server, execute scripts and then completely take over that computer. In this case, once they had the ability to write files to the server they could effectively download every email in the system - and what's worse is that Mossack Fonseca wouldn't even know it was happening.
It would be easy to draw the conclusion that Drupal and Wordpress are to blame - but in fact, the real culprit is the lack of software updates. With a company like Mossack Fonseca dealing with very sensitive personal information of the very rich, you would really expect their IT systems to be set up with a high degree of security in mind, but in fact it looks very amateurish. Not only have they not done the basic and essential task of updating the CMS software, but they have the company mail server running on the same machine. It wouldn't surprise me if this was due to a top down lack of understanding of IT security, maybe the server was physically on the premises and managed by an in-house IT guy, maybe he was so busy sorting out desktop issues for lawyers that system updates were neglected. Maybe directors didn't think it was worth paying for security patches.
IT Security Solutions
How would Turtlereality prevent this from happening? Firstly, we patch all of our Drupal installations as a matter of course, normally within 48 hours of a patch being released, sometimes quicker if it is flagged as urgent. The Drupal security team do an excellent job of keeping on top of this and keeping Drupal a very secure environment, not just for the core Drupal code, but also for all contributed modules.
Drupal is very secure when it is kept up-to-date, if it is not patched, like any system, you might as well hang out a sign saying "please have all my data"
Secondly, our servers are set up to keep domains isolated from one another. anybody gaining access to one domain could not read or write to another domain. For a client as sensitive as Mossack Fonseca, we would recommend a dedicated server. We would also recommend to any of our clients with those kind of security and privacy issues to consider specialist email hosting and not something cobbled together on the same box as the web server. Email hosting has come a long way in the last few years and our favourite option currently is Googe Apps for Work, very robust, flexible - and secure.
The one lesson that we can all learn from the Panama Papers is the importance of keeping your CMS software up to date.