Panama Papers and Open Source Software

According to reports, outdated and vulnerable versions of WordPress and Drupal — broadly used as Open Source Content Management Systems — are behind the Panama Papers Breach.
Tierno S. Bah
Sarah Gooding. WordPress Tavern
Sarah Gooding. WordPress Tavern

Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications.Drupal logo
wordpress-logoThe firm ran its unencrypted emails through an outdated (2009) version of Microsoft’s Outlook Web Access. Outdated open source software running the frontend of the firm’s websites is also now suspected to have provided a vector for the compromise.

In initial communications with German newspaper the Süddeutsche Zeitung (SZ), an anonymous source offered the data with a few conditions, saying that his/her life was in danger.

“How much data are we talking about?” the SZ asked.

“More than anything you have ever seen,” the source said.

The Panama Papers breach is the largest data leak in history by a wide margin, with 2.6 terabytes of data, 11.5 million documents, and more than 214,000 shell companies exposed.

Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak.

Forbes discovered the firm ran a three-month-old version of WordPress for its main site, known to contain some vulnerabilities. But more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23.

The current version of the Drupal 7.x branch is 7.43.
A release candidate (Drupal-1.0 RC1 ) of the 8.x branch is available for testing from Drupal.org, pending an April 20th  final release. — Tierno S. Bah

This information is partially inaccurate, however. While looking at the site today, I found that the firm’s WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. Since that time WordPress has had numerous critical security updates.

The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/.

The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn’t been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server. This includes a 2014 SQL injection vulnerability known in the Drupal community as “Drupalgeddon,” which affected every site running Drupal 7.31 or below.

Investigators have not confirmed if the open source software vulnerabilities were used to access the data, but it is certainly plausible given the severity of the vulnerabilities in both older versions of WordPress and Drupal.

“They seem to have been caught in a time warp,” Professor Alan Woodward, a computer security expert from Surrey University, told Wired UK. “If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”

If these Open Source software vulnerabilities provided the access point for this massive leak, then this company’s global fiasco was entirely preventable. Although many people welcome the uncovering of corruption and dirty money transactions of famous people and world leaders, the reality is that these kinds of exploits can also be carried out on well-meaning organizations that exist to protect people’s health records, financial data, and other sensitive information.

This leak is not a blow to Open Source software’s credibility but rather underscores how low a priority some companies place on their tech departments and web security. With the rampant software vulnerabilities in this age, not updating software for years constitutes abject neglect of customers.

The bottom line is that software needs to be updated. This kind of routine maintenance is as foundational to a company’s business as brushing teeth or showering is for one’s health. Law firms and companies with such a lax approach to security are either ignorant or unwilling to spend the money to maintain technology that they don’t fully understand. The Panama Papers serve as a reminder that having a competent, skilled tech department is critical for any company that deals in sensitive information.

Sarah Gooding
WordPress Tavern

BlogGuinée 2015. Chiffres et commentaires

Courtoisie de WordPress.com et leur module d’extension (plugin) JetPack, voici les chiffres du trafic 2015 sur BlogGuinée et quelques commentaires :

Nombre de visitesNombre de visiteurs
55,49330,552
  • La moyenne de page visitée est de 1,82
  • Le nombre de pays ayant accédé BlogGuinée en 2015 : 165

Top Articles

TItreNombre de visites
Page d’accueil24.184
Guinée : la politique du “problème Peul”3.598
Angelina Jolie, Israel et la Palestine1.640
Jeunes et patriotes, rêves et carrières brisés968
Fulbe and Africa950
Guinea Mining. Exploiting a State624
Loffo Camara : victime-martyre de Sékou Touré481
Musique sacrée386
André Lewin : Qui a tué Cabral ?351
Alpha Condé. Mésalliances, vulgarité, absurdité305

Dix premiers pays d’origine des visites

 RangPaysNombre de visites
1erUnited States 17.421
2èmeFrance 10.975
3èmeGuinée 4.305
4èmeUnion Européenne 4.119
5èmeCanada 2.427
6èmeUnited Kingdom 1.417
7èmeSénégal 1.306
8èmeBelgique 1.146
9èmeAllemagne 1.046
10èmeNorvège 851

Sites référents

SiteNombre de visites
Moteurs de recherche20.940
Facebook.com4.346
Campboiro.org1.923
webAfriqa.net569
webGuinée.net*374
webPulaaku.net291
guineeactu.info284
Leydi.webguinee.net*264
webFuuta.net243
Guineepresse.info195

*On note que webGuinée.net apparaît deux fois, pour un total de 538 visites, conservant ainsi la même 4ème place.

Commentaires

  1. Le classement au premier rang de popularité de l’article Guinée : la politique du “problème Peul” n’est pas surprenant. Ce blog est est en fait précédé et complété par trois autres de mes écrits:
  2. Le succès du Angelina Jolie, Israel et la Palestine souligne la validité et la nécessité de la tolérance religieuse ; au plan universel et des trois croyances Abrahamiques : Judaisme, Christianisme et Islam. N’en déplaise aux extrémistes de tous bords.
  3. Venant en troisième position, Jeunes et patriotes, rêves et carrières brisés est un rappel douloureux de la destruction de la Guinée par la dictature de Sékou Touré, qui s’attaqua aux couches les plus porteuses du développement : intellectuels, businessmen, professions libérales, femmes, etc.
  4. Quatrième sur la liste, mon essai anthropologique Fulbe and Africa tente de dégager le rôle important — proto-historique, préhistorique, historique, économique, culturel, politique — de cette vaste communauté, qui vit dans trois des cinq régions que compte l’Afrique.
  5. Bouclant la liste des cinq premiers blogs 2015, le dossier “Exploiting a State on the Brink of Failure: The Case of Guinea” est extrait d’un rapport plus long préparé par J.R. Mailer, chercheur à l’Africa Center for Strategic Studies de la
    National Defense University, Washington, DC. J’informai le Centre de la republication de leur document sur BlogGuinée. En réponse, je reçus non seulement l’approbation positive de Joseph Siegel, Ph.D,  Directeur du Centre, mais aussi ses félicitations du fait que mon blog est lu par une audience de Guinéens, primordialement visée  par le rapport.

Bonne comparaison

Dernier point et non le moindre, les analystes de WordPress.com  suggèrent la comparaison suivante :

Si BlogGuinée était un groupe artistique, il faudrait une salle de spectacles de 2,700 places — par exemple le Sydney Opera House (Australie) — et 20 nuits de spectacles pour satisfaire les 55.493 visites du site en 2015.

Mes Meilleurs Voeux à Tous et à Toutes pour 2016.

Happy New Year 2016

Tierno S. Bah