32 Comments

  1. Amir

    I think that companies who run such sensitive operations would be wise to use one of the great WordPress hosting services, which also takes care of updates and hack prevention. Obviously, mixing this with very outdated Drupal (or anything else) installs isn’t the wisest of ideas.

    Report

    • Gregory

      How about not placing any sensitive information on any website? I would feel pretty uncomfortable if I was asked to use WP uploader to send my passport photo and utility bills needed to open a company.

      Report

      • eka808

        I agree with you that using upload features of a well known tool like Worpdress for sensitive informations could lead to potential hacking especially if the software is not up to date.
        However, It’s probably safer and with less potential bugs using a product which exists since years than a custom made script in PHP made by a developer in 1 hour and that will break all possible security rules.

        Report

    • Ryan Hellyer

      Giving that data to one of those great WordPress hosting services is also a bad idea.

      Report

  2. Andrew

    Hahahaha. Point taken, but aren’t we glad the crooks who run and ruin the world have some gaps in their Death Stars?

    … or whose side are you on there, stormtrooper?

    Report

  3. John Teague

    I recently wrote a blog post on what I often refer to as the culture of LAX security.

    While that post focuses on the miniscule percentage of sites running under SSL, and how to overcome historic objections SSL it reflects the greater problem of, often respected, hosts, dev/designers, and other ‘experts,’ downplaying security as less important than cost and convenience.

    Adding to the general lethargic history of the way security is deemphasized generally, it’s no surprise that we continue to witness increasing numbers of incidents of this scope.

    The point is that the open and closed source communities, and ancillary services, especially their leadership, must change the mediocre way security is approached, and how consumers are educated, if we want to break the culture of lax security.

    If interested, here is the original post: https://goo.gl/HBckBk

    Report

  4. Peter Cralen

    The reality is that majority of websites are outdated with legacy technologies, vulnerable, too complicated, over-combined. From governments, big corporations, banks to hobbyist websites …

    All of these sits on the outdated hosting environments with rusted machines from the time our grandmas were young ;)
    Similar to this is the user experience. On one site I can’t change the email, on another the username or can’t simply delete my account bc. this and that … “excuse”.

    Even WPTavern does not use SSL. It is a 5 minutes job today on a modern hosting environment. Your contact form is safe the same way how it looks.

    Report

    • mark k.

      +1000 (where is that reaction emoji when I need it ;) ). No point in even starting to discuss software flaws if admin access is not done over HTTPS.

      Report

  5. Miroslav Glavic

    The problem is that as, we and by we I mean we in the WPTavern/WordPress Community, know all about updates. the Boards of Directors/the politicians don’t see why you have to pay again to “install it again” because they think once is enough. So when you ask them to pay you for maitenance/updates, they don’t see why the need “If WordPress is secure, I/We don’t need updates”.

    Things like this eventually happen.

    They worry about how things will break for clients, even though you tell them that you will do the updates at 1am-3am local time, that way the least amount of customers/residents will be on the website.

    A website is like a car, there is more costs to it that the costs of acquiring the website/car.

    Report

  6. mark k.

    Yet another baseless sensational headline. Just because something is not on the latest release doesn’t make it insecure, and for sure no one claimed that that was the way the documents were retrieved.

    Anyway, following the logic of the title, I can have a better sensationalist head line – “In 3 months 80% of wordpress sites will be insecure” (in 3 months version 5.5 of PHP will be EOL, and only about 16% of wordpress sites use a more current one). BTW currently it is more then 50% which are not secure.

    Report

    • Davide

      I’m agree with you: 4.1 but witch minor version?
      4.1.10 (that receive automatic update from 4.1) it’s full patched and secure even if it’s not the latest 4.4.2.
      Running “wpscan” on the website in not enought to understand the real cause of the leak.

      Report

      • mark k.

        Those are just numbers. Many wordpress security issues are related to user privilege escalation and if that site did not have open user registration it would not have been effected.

        Just because there is some security issue do not mean that it can be abused. A very basic security measure in this kind of setup will be to limit access to the admin to the IP addresses of the office and then 90% of security issues can not be exploited in practice.

        Report

    • Jeffr0

      What in the world is so sensationalist about Outdated and Vulnerable WordPress and Drupal Versions May Have Contributed to the Panama Papers Breach?

      It tells the reader that running outdated versions of Drupal and WordPress with known security holes may have led to the data breach. It’s not sensationalist, it’s a good headline and equally a good read. Why are you so damn cranky all the time?

      Report

      • mark k.

        You know Jeff, you are right, but then the tittle “global warming might have contributed to….” would have been as accurate. When you say “might have” for most people it means that you have done some research and at least found hint that might support your theory. With the level of investigation done here (and I really do not expect NYT level, and happy with what I get) the only title that can be here is “the panama site ran outdated wordpress”. The hint as if it has anything to do with the hack itself is what make it overly sensational, and you really don’t need it people would have come to read in any case (except for maybe the slashdot crowd) and I am quite sure you do not get money for increased traffic, so it is totally not needed here.

        Report

  7. Jesse

    Wow, truly fantastic research Sarah.

    It is sad yet tell-tale how many in-house IT teams around the world have such egos that they refuse to use “real” providers and expert consultants to secure their data and infrastructure.

    On a daily basis, WordPress sites and other databases are breached at universities and companies around the world for this very reason.

    Google Apps, for example, is free for most universities, and WordPress itself is very easy to secure. But out of sheer laziness, incompetence, and ego-stroking, security is regularly ignored, resulting in mass student identity theft and corporate espionage, etc — but I guess this makes things a lot easier for the NSA and hackers, anyway…

    SSL, Disable XML-RPC, bcrypt, auto-updates are a few easy ways to immediately secure WordPress that take minutes to setup.

    Report

  8. Heather Burns

    The situation recalls the BPAS hack in 2012. Similar factors: an unknown CMS which was found to be years out of date, no security hardening despite being a public target, and an organisation using what was supposed to be a public-facing informational web site to store confidential client information. A further factor was high staff churn (e.g. there was no one working in the organisation who had been there when the web site was built) which meant no one had any idea that their data breach nightmare was building up. After the hack, BPAS received a £200,000 data protection fine on the grounds that their ignorance of their security loopholes was no excuse. Mossack Fonseca will get about as much sympathy from any Panamanian data regulators. Ultimately they hung themselves with their own rope.

    Contrast Mossack Fonseca being too lazy to update a theme, with the security precautions used by the consortium of journalists who worked on the story. http://www.wired.co.uk/news/archive/2016-04/04/panama-papers-data-leak-how-analysed-amount

    Report

  9. Ridha Harwan

    Maybe they forget the wp-admin log in password and username. So their wordpress are outdated. lol

    Report

  10. Inspector Clouseau

    Awesome! Take a tiny bit of knowledge that you heard in a bar, a bunch of wild guesses, add a dose of technical ineptitude ginned up in hyperbole and then offer it all to a clueless audience. Case closed. Book ’em Danno!

    But, it doesn’t work that way, Sarah. Exchange 2010(OWA 2009) is fully supported and sufficiently current, even Exchange 2007 is. The portal correctly uses strong TLS security, and when last did you yourself encrypt an email? Never! I doubt that anyone reading this has actually used SMIME or PGP or any other end-to-end encryption of emails. The uninformed and hypocritical condescension is nauseating.

    There’s zero chance that this leak came through WordPress/Drupal on completely different and unconnected networks and it’s HIGHLY unlikely that anyone vacuumed 2.6TB of email through Outlook Web Access.

    That’s just not how any of this works. But, you got your clickbait article and a few more clueless Twitter followers, so who cares about reality, right?

    Report

    • John Teague

      You definitely get the award today for most obnoxious, childish responder.
      If you can’t make your point without the personal attack, perhaps you need to think about growing up a few years before engaging with adults. Now, run along, Trump junior.

      Report

    • Jeffr0

      Well gee sir, you’re so smart, where’s your 20 page analytical paper that explains point by point how the data breach happened since you seem to know how all of this works. Give me a break.

      Report

  11. Justin Time

    What’s the issue with that version of OWA?

    AFAIK, there’s no way that this could have lead to a hack.

    Report

  12. Ryan Hellyer

    That would require an extraordinary level of stupidty to post information like that behind nothing more than a WordPress login system.

    Report

  13. Michael

    Interesting info but I think the title is baseless. There’s no evidence that their WordPress site was breached, and even if it was, it’s highly unlikely they were storing any sensitive documents on it, let alone 11.5 million.

    Report

    • Jeffr0

      It’s not baseless and now with news that their WordPress site was running a vulnerable version of Rev Slider that allowed an attacker to easily upload and execute a remote shell, it could have led to gaining access to systems within the network.

      Also, the words “May Have Contributed” in the title are a lot different than “Contributed”. It’s called wiggle room as the story develops.

      Report

  14. John Teague
  15. Igor

    What fascinates me is that right now there is a battle between WordPress and Drupal on “whom to blame”. There are many posts around suggesting it’s the “Drupalgeddon” vulnerability was the case http://www.drop-guard.net/blog/drupalgeddon-panama-papers
    Really curious if we find it out sometimes :)

    Report

Comments are closed.

%d bloggers like this: