{"id":160970,"date":"2016-04-07T11:44:20","date_gmt":"2016-04-07T09:44:20","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=160970"},"modified":"2016-04-07T11:45:22","modified_gmt":"2016-04-07T09:45:22","slug":"outdated-wordpress-installations-may-have-helped-in-panama-papers-hack","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/160970-outdated-wordpress-installations-may-have-helped-in-panama-papers-hack.html","title":{"rendered":"Outdated WordPress installations may have helped in Panama Papers hack"},"content":{"rendered":"<p>While neither the attacker nor attack vector in the recent Panama Papers hack have been identified, <strong><a href=\"http:\/\/www.forbes.com\/sites\/thomasbrewster\/2016\/04\/05\/panama-papers-amazon-encryption-epic-leak\/#5e7729551df5\" target=\"_blank\">Forbes cited<\/a>\u00a0<\/strong>outdated WordPress and Drupal installations as potential vulnerabilities that may have aided in the breach.<\/p>\n<p><strong><a href=\"http:\/\/wptavern.com\/outdated-and-vulnerable-wordpress-and-drupal-versions-may-have-contributed-to-the-panama-papers-breach\" target=\"_blank\">WordPress Tavern<\/a><\/strong> reported that the Mossack Fonseca domain had\u00a0a WordPress-powered site running on version 4.1 of the software, which was released in December 2014.<\/p>\n<p>Its main site also loads a number of outdated scripts and plugins.<\/p>\n<p>The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn\u2019t been updated for three years.<\/p>\n<p><strong><a href=\"http:\/\/www.wired.co.uk\/news\/archive\/2016-04\/06\/panama-papers-mossack-fonseca-website-security-problems\" target=\"_blank\">Wired UK noted<\/a><\/strong> that since the release of Drupal 7.23 &#8211; the version on the law firm\u2019s website &#8211; the software has received 25 security updates.<\/p>\n<p>\u201cWhich means that the version it is running includes highly-critical known vulnerabilities that could have given the hacker access to the server,\u201d said WordPress Tavern.<\/p>\n<p>Wired also found that Mossack Fonseca ran its emails through a 2009 version of Microsoft\u2019s Outlook Web Access, without any encryption.<\/p>\n<p>An anonymous source told Wired that the server was not configured according to best practices. \u201cWe\u2019re talking about a misconfigured server that enables directory listings,\u201d they said.<\/p>\n<h3 id=\"related\">More on security<\/h3>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/160932-panama-papers-leak-was-a-hack-report.html\"><strong>Panama Papers leak was a hack: report<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/160684-whatsapp-rolls-out-end-to-end-encryption-for-messages-calling.html\"><strong>WhatsApp rolls out end-to-end encryption for messages, calling<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/160368-cloudflare-versus-tor.html\"><strong>CloudFlare versus Tor<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/160004-the-drug-dealing-weapon-selling-former-south-african-crypto-king.html\"><strong>The drug-dealing, weapon-selling former South African crypto king<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Old versions of WordPress and Drupal installed on the Mossack Fonseca domain may have contributed to the security breach at the law firm.<\/p>\n","protected":false},"author":23,"featured_media":85485,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[36,36460,9645,123,17200,36464,36444,36440,36462,9647],"class_list":["post-160970","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-active","tag-alan-woodward","tag-drupal","tag-microsoft","tag-microsoft-outlook","tag-microsoft-outlook-web-access","tag-mossack-fonseca","tag-panama-papers","tag-surrey-university","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/160970"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=160970"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/160970\/revisions"}],"predecessor-version":[{"id":160974,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/160970\/revisions\/160974"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/85485"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=160970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=160970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=160970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}